Service Principal Names
Kerberos authentication requires Service Principal Names (SPN) to be registered in Active Directory, which uniquely identify each service involved in authentication. SPN may be automatically registered by SQL Server or IIS on service startup.
- SQL Server auto-registers SPN if the service is run as Local System or Network Service. Local Service and domain accounts (without domain privileges) do not have permission to add SPN. An Information event is written to the Application Event Log when the SPN is registered.
- IIS 7 auto-registers SPN regardless of the Application Pool Identity if Kernel-mode authentication is enabled.
- It is important that there are no duplicate SPNs registered for the same service as this can cause authentication to fail.
- The Windows Server setspn.exe -L command in can be used to list the SPN associated with a computer or user account. SPNs automatically registered by SQL Server uses the service name MSSQLSvc.
Possible Errors and Their Causes
- Error: The requested service could not be activated
- Open the service URL in Internet Explorer on the server to get a more descriptive error.
- Error: Security settings for this service require Windows Authentication but it is not enabled for the IIS application that hosts this service.
- Windows Authentication is not enabled for the Web Site in IIS
- Error: Login failed for user '<DOMAIN>\<HOSTNAME>$'.
- The Application Pool uses the default ApplicationPoolIdentity account, which does not have permission to login to the database
- Either grant the machine account permissions in the database or change the Application Pool to run as a domain account.
- Error: Login failed for user '<SERVICEACCOUNT>'.
- The service account must be granted permissions in the database.
- Error: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
- The server is not configured properly for Kerberos authentication. Check the SPN configuration and the delegation permissions in Active Directory.
- Error: Windows Authentication requires identity delegation
- The web service is being called without impersonation enabled or permissions to delegate the identity. Check the client configuration.
- Error: Transport authentication failed in Windows Application Log.
- Enable NTLM in your client code. This setting has been deprecated and is only suggested as a troubleshooting mechanism.