I have a domain user account (in mydomain.com, let's say) that is set to be the logon account for numerous instances of SQL Server 2005 on multiple machines. I want to have this domain account (not the machine accounts) trusted for delegation, primarily to do 2 hop authentication between the SQL servers via linked servers. The linked server security would be configured to use the context of the existing connection and all SQL Server instances are running under the context of said domain account.
For argument sake, this will be the instance names of the SQL instances:
svra (default sql instance)
svra\inst2 (named sql instance)
svrb (default sql instance)
I think, then, the SPNs that I want to register in Active Directory would be
MSSQLSvc/svra.mydomain.com:1433
MSSQLSvc/svrb.mydomain.com:1433
I don't need a 3rd for the named instance on svra, do I?
Can someone confirm that that is the correct format for the SPN's? Also, that would allow IIS running under the same domain account do 2 hop authentication to the SQL instances, correct?
Best Answer
Generally you need to register both the FQDN SPN and the Netbios name SPN: MSSQLSvc/svra.mydomain.com:1433 AND MSSQLSvc/svra:1433
For the secondary instance (inst2) you need an SPN for that instance's TCP port MSSQLSvc/svra:1500 (for example)
Also, if the SQL Server service process runs under a domain account you need to specify that as well, eg
MSSQLSvc/svra.mydomain.com:1433
Note that if you run the SQL Server service process as LOCALSYSTEM, these SPNs are created automatically.
Finally, you need to set the "Trusted for delegation" flag on the IIS server's computer account in the domain.