Error 0x2098 State 15 Sql Server
Contents |
MichelNovember 8, 200928 0 0 0 The SQL Network Interface library was unable to register SPN. Problem In the SQL Server error log you got the windows return code: 0x21c7, state: 15 following message: The SQL Network Interface library could not register the Service
Windows Return Code 0x2098 State 15
Principal Name (SPN) for the SQL Server service. Error: 0x2098, state: 15. Failure to register an SPN read serviceprincipalname may cause integrated authentication to fall back to NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies. the sql server network interface library could not register the service principal name To understand the error you can transcribe the error message 0x2098 in a more readable. - You can use the tools: Error Code lookuphttp://www.microsoft.com/downloads/details.aspx?familyid=be596899-7bb8-4208-b7fc-09e02a13696c&displaylang=en Puis exécuter la commande err.exe 2098 : # for hex 0x2098 / decimal 8344 :ERROR_DS_INSUFF_ACCESS_RIGHTS winerror.h# Insufficient access rights to perform the operation.# 1 matches found for "2098" - Or go directly to the error
Sql Server Setspn
codes at: http://msdn.microsoft.com/en-us/library/ms681390(VS.85).aspx ERROR_DS_INSUFF_ACCESS_RIGHTS 8344 (0x2098) Insufficient access rights to perform the operation. This error message indicates that the service account SQL server does not have sufficient rights to register the SPN. CauseSPNs are used by the Kerberos authentication protocol. If the account of the proceeding is known, the Kerberos authentication can be used to provide mutual authentication by the client and server. If the account of the proceedings is not known, NTLM authentication, which provides only authentication of the client by the server is used. If you run SQL Server under the LocalSystem account, the SPN is automatically registered as SQL registering with the machine account that has the right to create an SPN default. So Kerberos interacts successfully with the server running SQL Server. However, if you run SQL Server under a domain account or a local account, the attempt to create the SPN may fail. When creating the service principal name fails, this means that no SPN is set for the service that is running SQL Server. Solution Therefore, you must implemen
log in tour help Tour Start here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company the sql server network interface library could not deregister the service principal name Business Learn more about hiring developers or posting ads with us Database Administrators Questions Tags administrator should deregister this spn manually to avoid client authentication errors Users Badges Unanswered Ask Question _ Database Administrators Stack Exchange is a question and answer site for database professionals who wish to improve
Check Spn Registration
their database skills and learn from others in the community. Join them; it only takes a minute: Sign up Here's how it works: Anybody can ask a question Anybody can answer The best answers are voted up https://blogs.technet.microsoft.com/mdegre/2009/11/08/the-sql-network-interface-library-was-unable-to-register-spn/ and rise to the top SPN permission issue up vote 1 down vote favorite 1 I am trying to figure out what permissions would still be missing if the SPN is created manually for SQL Service account and I am seeing this error message: The SQL Server Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service. Error: 0x2098, state: 15. Failure to register an SPN may cause integrated http://dba.stackexchange.com/questions/68358/spn-permission-issue authentication to fall back to NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies. sql-server share|improve this question edited Jun 17 '14 at 4:33 Max Vernon 26.9k1160118 asked Jun 16 '14 at 22:50 Vegda 62 Have you seen mssqltips.com/sqlservertip/2955/… ? –Max Vernon Jun 17 '14 at 4:35 In my experience it is well worth taking the time to configure the SQL Server Service Account with the necessary permissions that allow SQL Server to manage the SPNs itself. –Max Vernon Jun 17 '14 at 4:37 Also, see dba.stackexchange.com/questions/30121/… –Max Vernon Jun 17 '14 at 4:37 Max, you should post that as an answer. –Greenstone Walker Jun 17 '14 at 5:15 Yes I have looked at those posts and have created SPN's manually successfully. That's why I am kind of wondering if the SPN's are present without any duplicates why would I get this warning message in SQL error log. Also when I run this statement "select auth_scheme from sys.dm_exec_connections where session_id = @@spid" I get NTLM when executed locally on the server and Kerberos when executed remotely. –Vegda Jun 17 '14 at 17:37 add a comment| active oldest votes Know someone who can answer? Share a link to this question via e
2010 Introduction This article explains how to verify and register Service Principal Names (SPN) for SQL Server Authentication with Kerberos Connections. Kerberos authentication http://www.mytechmantra.com/LearnSQLServer/Verify-and-Register-SPN-for-SQL-Server-Authentication-with-Kerberos-Connections/ is a widely accepted network authentication Protocol. It is used to provide a highly secure method to authenticate windows users. What is an SPN? MSDN Describes Service Principal https://mssqlwiki.com/tag/the-sql-server-network-interface-library-could-not-register-the-service-principal-name-spn/ Name (SPN) as:- "SPN is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers sql server throughout a forest, each instance must have its own SPN. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. Before the Kerberos authentication service can use an SPN to authenticate a 0x2098 state 15 service, the SPN must be registered on the account object that the service instance uses to log on. When a client wants to connect to a service, it locates an instance of the service, composes an SPN for that instance, connects to the service, and presents the SPN for the service to authenticate.” Source MSDN Article: Service Principal Names It is always recommended to run SQL Server Services under a Domain User Account which has minimal permissions. If you are looking for different ways to secure SQL Server within your environment then read the following “SQL Server Security Best Practices” article. TSQL Query to verify SQL Server/Windows Authentication scheme used by SQL Server Connection Execute the below TSQL Query to verify authentication used by SQL Server Connections. USE master GO SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@SPID; GO Expected Results SQL - When SQL Server authentication is used NTLM - When NTLM authentication is used KERBEROS - When KERBEROS authentication is used Prerequisites when configuring SQL Server
Performance Programming Recovery Replication Security Space management SQL Cluster Setup SQL General SQL Query SQL Saturday SQL Server Cluster SQL Server Engine SQL Server I/O SQL Server memory SQL Server Setup SQL Server Tools SQLServer SOS SSMS Startup failures Summary Archives January 2014 December 2013 November 2013 September 2013 June 2013 May 2013 April 2013 March 2013 February 2013 January 2013 December 2012 November 2012 October 2012 September 2012 August 2012 July 2012 June 2012 May 2012 April 2012 March 2012 February 2012 January 2012 December 2011 July 2011 June 2011 March 2011 February 2011 January 2011 December 2010 November 2010 October 2010 September 2010 August 2010 July 2010 June 2010 May 2010 April 2010 March 2010 February 2010 January 2010 May 2009 April 2009 March 2009 February 2009 January 2009 Tags 17883 17884 17887 17888 AllocateUserPhysicalPages AWE Allocator API's Blocking Connectivity CreateFile CreateMemoryResourceNotification Debugging Encrytion error 17883 non yielding Error: 15466 External dump process returned no errors External dump process returned no errors.DoMiniDump () encountered error GetClusterResourceState GetPerformanceInfo GetProcessMemoryInfo GetVolumeInformation Index usage Inside SQLOS Level 16 Linked server LockPagesinMemory LookupPrivilegeValue MapUserPhysicalPages max server memory memory dump memory leak non-yielding Non-yielding IOCP Listener Non-yielding Scheduler OpenCluster OpenClusterResource OpenProcess OSVERSIONINFOEX Overlapped I/O OVERLAPPED structure Performance Process 0:0:0 ( ) Worker appears to be non-yielding on Scheduler Profiler QueryMemoryResourceNotification Query tuning Replication Severity: 16 SOS SQL General SQLOS SQL Query sql scheduler SQL Server 2005 SQL Server 2008 SQLServer Cluster SQLServer CPU SQLServer dump SQL Server management studio sql server maximum server memory SQLServer mdmp sqlserver memory SQL Server memory SQLServer operating system sql server performance SQLServer scheduler SQLServer SOS SQLServer Tools SSMS Stack Dump State: 1. Trace Transactional replication UMS User mo