Error: 0x202b State 15 The SQL Network Interface library could not register the Service Principal Name for the SQL Server service

16 September,2013 by Jack Vamvas

Question : I received a login error message when trying to logon to a SQL Server – from outside of the server.  Looking at the SQL Server Error logs , the following message appears , which occurred when the SQL Server started.

 “The SQL Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service. Error: 0x202b, state: 15. Failure to register an SPN may cause integrated authentication to fall back to NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies.”

If I log on to the server – I can connect to the SQL Server Instance , but if I attempt to logon from outside of the server the problem persists.  The SQL Server service account is running under a domain account.

How can I fix it?

Answer: The quick workaround is to start the SQL Server service under the Local System Account . Only use this method as a temporary measure.

If you start SQL Server with the Local System account , the Service Principal Name (SPN) is registered automatically because SQL Server service using the machine account  has the right to create an SPN. Kerberos can then communicate with the server

The problem outlined from the question indicates  the SQL Server is running under a domain account and the SPN create attempt is failing. Therefore no SPN is created for the SQL Server service.

When the SQL Server starts , it tries to register the SPN. If the start up account doesn’t have permissions to register the SPN in the Active Directory Domain Services, the attempt fails.

For detailed information about how to Register a Service Principal name for Kerberos Connections

 Read More on sql server security

Event ID 40960 Cannot generate SSPI context - SQL Server DBA

SQL Server Security Policy - SQL Server DBA

 


Author: Jack Vamvas (http://www.sqlserver-dba.com)


Share:

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment on Error: 0x202b State 15 The SQL Network Interface library could not register the Service Principal Name for the SQL Server service


sqlserver-dba.com | SQL Server Performance Tuning | SQL Server DBA:Everything | FAQ | Contact|Copyright & Disclaimer