How to troubleshoot SPN and SQL Server Windows return code: 0x2098, state: 15

09 September,2019 by Jack Vamvas

Question:I see this error in the SQL Server Error Logs . How can I troubleshoot this issue?

The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/myserver.net:50234 ] for the SQL Server service.Windows return code: 0x2098, state: 15.

The start up account for SQL Server is a dedicated start up account

Answer: As a starting point let's look at what MSDN has to say "

To use Kerberos authentication with SQL Server requires both the following conditions to be true:

  • The client and server computers must be part of the same Windows domain, or in trusted domains.

  • A Service Principal Name (SPN) must be registered with Active Directory, which assumes the role of the Key Distribution Center in a Windows domain. The SPN, after it is registered, maps to the Windows account that started the SQL Server instance service. If the SPN registration has not been performed or fails, the Windows security layer cannot determine the account associated with the SPN, and Kerberos authentication will not be used."

And you can see if KERBEROS is being used when you run this query:

SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@spid ;

What's confusing at this point is you may be seeing the Windows return code: 0x2098, state: 15 error , but at the same time you can that the auth_scheme column is returning KERBEROS . But how is that happening if you're getting error messages in the SQL Server Log ??

A quick fix is to  validate the write to service principal name for startup account of SQL Server using the Active directory user and computers snap in. 

If you use Local System would you see this error? Yes, you can still get this error. It does't mean the SPN is not registered

A handy tool is the Microsoft® Kerberos Configuration Manager for SQL Server® . By default , Kerberos Configuration Manager will use WMI to gather information,review and offer option about generating SPN scripts and to fix.   For example - on a test server - this a Fix script generated, which does require Windows Domain Administrator permissions to execute

 

SetSPN -s "MSSQLSvc/myserver.mydomain.net:INST1" "myDomain\myAccount"

 

 

Solving Kerberos related issues can be tricky and time consuming. One example is Kerberos and KRB_AP_ERR_MODIFIED .     I'd be interested to hear some of your tips and techniques on solving Kerberos, SPN & SQL Server. 

 

 

 


Author: Jack Vamvas (http://www.sqlserver-dba.com)


Share:

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment on How to troubleshoot SPN and SQL Server Windows return code: 0x2098, state: 15


sqlserver-dba.com | SQL Server Performance Tuning | SQL Server DBA:Everything | FAQ | Contact|Copyright & Disclaimer