I received the following message in the SQL Server error log after an Active Directory change inadvertently locked one of our sql service accounts.
“The SQL Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service. Error: 0x2098. Failure to register an SPN may cause integrated authentication to fall back to NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies.”
The SPN is essentially a mapping between a principal name and the Windows account that started the server instance service. This is needed because the client will use the server’s hostname and the TCP/IP port to which it connects to compose an SPN. If the SPN mapping has not been performed, then the Windows security layer will be unable to determine the account associated with the SPN and Kerberos authentication will not be used. In an attempt to facilitate this, the SQL Server 2005 instance will automatically try to register the SPN with the AD at startup if TCP/IP is enabled. This message results from the fact that only a domain administrator or a Local System account has the authority to register an SPN. Therefore, under a normal account, SQL Server will be unable to register the SPN for the instance. This should normally not prevent the services from starting but for us it acted as a cryptic indicator that there was an issue with AD. Had we not discovered that the account was locked we would have had all sorts of issues once the cached credentials for the service account had expired.