You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections.md
+6-5Lines changed: 6 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,7 +3,8 @@ title: Register a Service Principal Name for Kerberos Connections
3
3
description: "Find out how to register a Service Principal Name (SPN) with Active Directory. This registration is required for using Kerberos authentication with SQL Server."
4
4
author: rwestMSFT
5
5
ms.author: randolphwest
6
-
ms.date: 08/26/2025
6
+
ms.date: 01/22/2026
7
+
ai-usage: ai-assisted
7
8
ms.service: sql
8
9
ms.subservice: configuration
9
10
ms.topic: how-to
@@ -100,9 +101,9 @@ For a TCP/IP connection, where the TCP port is included in the SPN, [!INCLUDE [s
100
101
101
102
When an instance of the [!INCLUDE [ssDEnoversion](../../includes/ssdenoversion-md.md)] starts, [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] tries to register the SPN for the [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] service. When the instance is stopped, [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] tries to unregister the SPN. For a TCP/IP connection, the SPN is registered in the format `MSSQLSvc/<FQDN>:<tcpport>`. Both named instances and the default instance are registered as `MSSQLSvc`, relying on the `<tcpport>` value to differentiate the instances.
102
103
103
-
For other connections that support Kerberos the SPN is registered in the format `MSSQLSvc/<FQDN>:<instancename>` for a named instance. The format for registering the default instance is `MSSQLSvc/<FQDN>`.
104
+
For other connections that support Kerberos, the SPN is registered in the format `MSSQLSvc/<FQDN>:<instancename>` for a named instance. The format for registering the default instance is `MSSQLSvc/<FQDN>`.
104
105
105
-
To give permissions to the [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] startup account, to register and modify the SPN, perform the following steps:
106
+
To give permissions to the [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] startup account to register and modify the SPN, perform the following steps:
106
107
107
108
1. On the Domain Controller machine, navigate to **Active Directory Users and Computers**.
108
109
@@ -118,7 +119,7 @@ To give permissions to the [!INCLUDE [ssnoversion-md](../../includes/ssnoversion
118
119
119
120
1. Under Permissions select **Validated Write servicePrincipalName**.
120
121
121
-
1. Scroll down and under **Properties** select:
122
+
1. Scroll down and under **Properties**, select:
122
123
123
124
-**Read servicePrincipalName**
124
125
-**Write servicePrincipalName**
@@ -200,7 +201,7 @@ The following table describes the authentication defaults that are used, based o
200
201
201
202
## Remarks
202
203
203
-
The Dedicated Administrator Connection (DAC) uses an instance name-based SPN. Kerberos authentication can be used with a DAC if that SPN is registered successfully. As an alternative a user can specify the account name as an SPN.
204
+
The Dedicated Administrator Connection (DAC) uses an instance name-based SPN. Kerberos authentication can be used with a DAC if that SPN is registered successfully. As an alternative, you can specify the account name as an SPN.
204
205
205
206
If SPN registration fails during startup, this failure is recorded in the [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] error log, and startup continues.
0 commit comments