Hi all,
I installed a SQL Server 2000 on a Win2003 machine, running the SQL Server
service under a domain user account.
When the SQL Server starts, I find a warning in the event log:
Source: MSSQLServer EventID: 19011
Description: SuperSocket info: (SpnRegister) : Error 8344.
After reading several KB articles I understand that the service account
tries to register the Service Principle Name on startup and fails because it
does not have the rights the register the SPN in Active Directory.
I put the account in the local admin group on the server and created a SPN
with setspn.exe from Win2000 resource kit, which points to at the domain
account. Does not fix the warning message.
I do not want to put the account into domain admin group, which would fix
the problem I think, because domain admins have all permissions to register
the SPN.
Does someone have a hint for me?
Thanks in advance
Regards
ChristianIf your server should always work using same tcp port, you may ignore this
message.
If server works under LocalSystem or other account which has such
permissions (by default - only Domain Admins), he registers SPN at startup
and unregisters at shutdown. So in your case if you change tcp/ip settings
for server, you will have to reregister SPN manually. Or you may give such
rights to service account - see this article for permissions info:
http://technet2.microsoft.com/WindowsServer/en/Library/8127f5ed-4e05-4822-bfa9-402ceede47441033.mspx
--
WBR, Evergray
--
Words mean nothing...
"Christian Guntsche" <christian.guntsche@.docuware.com> wrote in message
news:OxLkQH1RGHA.1688@.TK2MSFTNGP11.phx.gbl...
> Hi all,
> I installed a SQL Server 2000 on a Win2003 machine, running the SQL Server
> service under a domain user account.
> When the SQL Server starts, I find a warning in the event log:
> Source: MSSQLServer EventID: 19011
> Description: SuperSocket info: (SpnRegister) : Error 8344.
> After reading several KB articles I understand that the service account
> tries to register the Service Principle Name on startup and fails because
> it does not have the rights the register the SPN in Active Directory.
> I put the account in the local admin group on the server and created a SPN
> with setspn.exe from Win2000 resource kit, which points to at the domain
> account. Does not fix the warning message.
> I do not want to put the account into domain admin group, which would fix
> the problem I think, because domain admins have all permissions to
> register the SPN.
> Does someone have a hint for me?
> Thanks in advance
> Regards
> Christian
>|||Thanks for reply,
at least you pointed us in the right direction. :)
I read the article, but again MS describes not which rights an account needs
in order to register the SPN at startup. All information you get is, that it
works with domain admin rights and with local system.
Nonetheless, the information, that a special function is executed in Active
Directory let us search through the Advanced Active Directory permission
settings and we found that giving the permission to "write public
information" to the SQL Service Account solves the problem.
This prevents us from assigning domain admin rights.
Strange, that Microsoft does not point out which specific permissions have
to be set for a normal user account, but in the other tells you to not use a
admin account.
Anyway this is solved for us.
Regards
Christian
"Oleksandr Chuchko" <forlists@.mail.ru> schrieb im Newsbeitrag
news:%23JIEvO5RGHA.5036@.TK2MSFTNGP12.phx.gbl...
> If your server should always work using same tcp port, you may ignore this
> message.
> If server works under LocalSystem or other account which has such
> permissions (by default - only Domain Admins), he registers SPN at startup
> and unregisters at shutdown. So in your case if you change tcp/ip settings
> for server, you will have to reregister SPN manually. Or you may give such
> rights to service account - see this article for permissions info:
> http://technet2.microsoft.com/WindowsServer/en/Library/8127f5ed-4e05-4822-bfa9-402ceede47441033.mspx
> --
> WBR, Evergray
> --
> Words mean nothing...
>
> "Christian Guntsche" <christian.guntsche@.docuware.com> wrote in message
> news:OxLkQH1RGHA.1688@.TK2MSFTNGP11.phx.gbl...
>> Hi all,
>> I installed a SQL Server 2000 on a Win2003 machine, running the SQL
>> Server service under a domain user account.
>> When the SQL Server starts, I find a warning in the event log:
>> Source: MSSQLServer EventID: 19011
>> Description: SuperSocket info: (SpnRegister) : Error 8344.
>> After reading several KB articles I understand that the service account
>> tries to register the Service Principle Name on startup and fails because
>> it does not have the rights the register the SPN in Active Directory.
>> I put the account in the local admin group on the server and created a
>> SPN with setspn.exe from Win2000 resource kit, which points to at the
>> domain account. Does not fix the warning message.
>> I do not want to put the account into domain admin group, which would fix
>> the problem I think, because domain admins have all permissions to
>> register the SPN.
>> Does someone have a hint for me?
>> Thanks in advance
>> Regards
>> Christian
>
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment