When configuring SQL Server for Kerberos authentication, many administrators encounter a critical permission gap: the service account running SQL Server needs to register Service Principal Names (SPNs) automatically during startup, but standard documentation rarely specifies the exact permissions required.
Through extensive testing in enterprise environments, we've identified these minimum permissions needed for SPN management:
// ADSI Edit equivalent permissions
- Read servicePrincipalName
- Write servicePrincipalName
- Validated write to servicePrincipalNameOption 1: Delegated control via AD Users and Computers
1. Right-click the OU containing SQL service accounts
2. Delegate Control → Custom task → Create/Delete SPNs
3. Select "Create selected objects" and "Delete selected objects"Option 2: PowerShell delegation
# Grant SPN management rights to SQL service account
$account = "DOMAIN\sqlservice"
$ou = "OU=SQLServices,DC=domain,DC=com"
$rights = "ReadProperty,WriteProperty,ValidatedWrite"
Set-ADObject -Identity $ou -Add @{
"ntSecurityDescriptor" = (New-Object System.DirectoryServices.ActiveDirectorySecurity).SetSecurityDescriptorSddlForm(
"O:BAG:DUD:AI(A;CI;RPWP;;;$((Get-ADUser $account).SID))"
)
}When permissions appear correct but SPN registration fails:
- Verify account has "Log on as a service" right
- Check for duplicate SPNs with:
setspn -X - Test manual registration:
setspn -A MSSQLSvc/server.domain.com:1433 domain\sqlservice
For production environments, consider:
- Creating dedicated "SQL SPN Management" security groups
- Implementing just-in-time SPN modification workflows
- Monitoring SPN changes via AD audit policies
When SQL Server starts up with a domain service account, it attempts to register Service Principal Names (SPNs) automatically. This process is crucial for Kerberos authentication to work properly. The account needs specific permissions in Active Directory to perform this operation successfully.
The service account needs the following minimum permissions in Active Directory:
- Write servicePrincipalName permission on the computer object where SQL Server is installed
- Validated write to DNS host name permission
- Validated write to service principal name permission
Instead of making the service account a Domain Admin, you can delegate these specific permissions using Active Directory Users and Computers:
1. Right-click the computer object → Properties → Security → Advanced
2. Add the service account
3. Set these specific permissions:
- Write servicePrincipalName
- Validated write to servicePrincipalName
- Validated write to DNS host nameFor automation scenarios, use this PowerShell script to delegate permissions:
# Grant SPN registration rights to service account
$computerDN = (Get-ADComputer "SQLServerName").DistinguishedName
$serviceAccount = "DOMAIN\sql_service_account"
$acl = Get-Acl "AD:\$computerDN"
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule (
(New-Object System.Security.Principal.NTAccount($serviceAccount)),
[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty,
[System.Security.AccessControl.AccessControlType]::Allow,
[System.DirectoryServices.ActiveDirectorySecurityInheritance]::None,
[Guid]"f3a64788-5306-11d1-a9c5-0000f80367c1" # SPN attribute GUID
)
$acl.AddAccessRule($rule)
Set-Acl -AclObject $acl -Path "AD:\$computerDN"If automatic registration fails, check these common issues:
- Verify the service account has the correct permissions using
dsacls - Check SQL Server error logs for registration attempts
- Use
setspn -L <service_account>to verify SPNs - Ensure no duplicate SPNs exist (check with
setspn -X)
When delegation isn't possible, manually register SPNs using:
setspn -S MSSQLSvc/sqlserver.domain.com:1433 DOMAIN\sql_service_account
setspn -S MSSQLSvc/sqlserver.domain.com DOMAIN\sql_service_accountRemember that manual registration requires Domain Admin privileges temporarily, but the service account itself doesn't need ongoing Domain Admin rights.