To understand the error you can transcribe the error message 0x2098 in a more readable.
- - You can use the tools: Error Code lookuphttp://www.microsoft.com/
downloads/details.aspx? familyid=be596899-7bb8-4208- b7fc-09e02a13696c&displaylang= en
Puis exécuter la commande err.exe 2098 :
# for hex 0x2098 / decimal 8344 :
ERROR_DS_INSUFF_ACCESS_RIGHTS winerror.h
# Insufficient access rights to perform the operation.
# 1 matches found for "2098" - - Or go directly to the error codes at:
http://msdn.microsoft.com/en-us/library/ms681390(VS.85). aspx
| ERROR_DS_INSUFF_ACCESS_RIGHTS 8344 (0x2098) | Insufficient access rights to perform the operation. |
This error message indicates that the service account SQL server does not have sufficient rights to register the SPN.
Cause
SPNs are used by the Kerberos authentication protocol. If the account of the proceeding is known, the Kerberos authentication can be used to provide mutual authentication by the client and server. If the account of the proceedings is not known, NTLM authentication, which provides only authentication of the client by the server is used.
If you run SQL Server under the LocalSystem account, the SPN is automatically registered as SQL registering with the machine account that has the right to create an SPN default. So Kerberos interacts successfully with the server running SQL Server.
However, if you run SQL Server under a domain account or a local account, the attempt to create the SPN may fail. When creating the service principal name fails, this means that no SPN is set for the service that is running SQL Server.
Solution
Therefore, you must implement a solution to that the SPN is created for your SQL Server instance where you want to use the Kerberos protocol.
However, if you run SQL Server under a domain account or a local account, the attempt to create the SPN may fail. When creating the service principal name fails, this means that no SPN is set for the service that is running SQL Server.
Solution
Therefore, you must implement a solution to that the SPN is created for your SQL Server instance where you want to use the Kerberos protocol.
Method 1 : The method recommended by Microsoft Support. You can give in Active Directory rights below to the service account of SQL Server:
- Read servicePrincipalName
- Write servicePrincipalName
Method 2 : You can also give him the rights manually using the tool SetSPN.(http://msdn.microsoft.
For SQL server StandaloneSetSPN -A MSSQLSvc/<ComputerName>.<
So for a multi-server instance you must configure the SPN for each instance, for each instance of SQL Server usefulness port TCP / IP only. For the port of the proceeding open SQL Server Configuration Manager>> Right click the instance>> TCP / IP protocol (default port)
Pour un cluster
SetSPN -A MSSQLSvc/<virtualName>.<
SetSPN -A MSSQLSvc/<virtualName>.<
For an instance of SQL Server cluster, you must use the FQDN of the virtual SQL server. You must also configure the SPN with a port and a second SPN without the port.
Verification
Then you can confirm that the operation went smoothly with the following command:
SetSPN -L <AccountName>
SQL server side to check, you can use the DMV sys.dm_exec_connections with the column auth_scheme :
select auth_scheme from sys.dm_exec_connections where session_id=@@spid
If kerberos is used, you should see "KERBEROS".
For SQL server StandaloneSetSPN -A MSSQLSvc/<ComputerName>.<
So for a multi-server instance you must configure the SPN for each instance, for each instance of SQL Server usefulness port TCP / IP only. For the port of the proceeding open SQL Server Configuration Manager>> Right click the instance>> TCP / IP protocol (default port)
Pour un cluster
SetSPN -A MSSQLSvc/<virtualName>.<
SetSPN -A MSSQLSvc/<virtualName>.<
For an instance of SQL Server cluster, you must use the FQDN of the virtual SQL server. You must also configure the SPN with a port and a second SPN without the port.
Verification
Then you can confirm that the operation went smoothly with the following command:
SetSPN -L <AccountName>
SQL server side to check, you can use the DMV sys.dm_exec_connections with the column auth_scheme :
select auth_scheme from sys.dm_exec_connections where session_id=@@spid
If kerberos is used, you should see "KERBEROS".
