Question : I received a login error message when trying to logon to a SQL Server – from outside of the server. Looking at the SQL Server Error logs , the following message appears , which occurred when the SQL Server started.
“The SQL Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service. Error: 0x202b, state: 15. Failure to register an SPN may cause integrated authentication to fall back to NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies.”
If I log on to the server – I can connect to the SQL Server Instance , but if I attempt to logon from outside of the server the problem persists. The SQL Server service is running under a domain account.
How can I fix it?
Answer: The quick workaround is to start the SQL Server service under the Local System Account . Only use this method as a temporary measure.
If you start SQL Server with the Local System account , the Service Principal Name (SPN) is registered automatically because SQL Server service using the machine account has the right to create an SPN. Kerberos can then communicate with the server
The problem outlined from the question indicates the SQL Server is running under a domain account and the SPN create attempt is failing. Therefore no SPN is created for the SQL Server service.
When the SQL Server starts , it tries to register the SPN. If the start up account doesn’t have permissions to register the SPN in the Active Directory Domain Services, the attempt fails.
For detailed information about how to Register a Service Principal name for Kerberos Connections