Released: Microsoft Kerberos Configuration Manager for SQL Server 4.1
We are pleased to announce the latest generally-available (GA) of Microsoft Kerberos Configuration Manager for SQL Server.
Get it here: Download Microsoft Kerberos Configuration Manager for SQL Server
Note : this replaces the previously released v4.0.
Why Kerberos?
Kerberos authentication provides a highly secure method to authenticate client and server entities (security principals) on a network. To use Kerberos authentication with SQL Server, a Service Principal Name (SPN) must be registered with Active Directory, which plays the role of the Key Distribution Center in a Windows domain. In addition, many customers also enable delegation for multi-tier applications using SQL Server. In such a setup, it may be difficult to troubleshoot the connectivity problems with SQL Server when Kerberos authentication fails.
Here are some additional reading materials for your reference.
- Kerberos Authentication Overview
- How to use Kerberos authentication in SQL Server
- Register a Service Principal Name (SPN) for Kerberos Connections
- Delegating authentication
- Troubleshooting Kerberos Delegation
- Solving Connectivity errors to SQL Server
Why use this tool?
The Kerberos Configuration Manager for SQL Server is a diagnostic tool that helps troubleshoot Kerberos related connectivity issues with SQL Server, SQL Server Reporting Services, and SQL Server Analysis Services. It can perform the following functions:
- Gather information on OS and Microsoft SQL Server instances installed on a server.
- Report on all SPN and delegation configurations and Always On Availability Group Listeners installed on a server.
- Identify potential problems in SPNs and delegations.
- Fix potential SPN problems.
This release (v4.1) adds support for Always On Availability Group Listeners, and fixes SPN format incompatibility with Windows Server 2008 and 2008 R2 (introduced in v4.0).
Notes
- Microsoft Kerberos Configuration Manager for SQL Server requires a user with permission to connect to the WMI service on any machine its connecting to. For more information, refer to Securing a Remote WMI Connection.
- For Always On Availability Group Listeners discovery, run this tool from the owner node.
- Also, if needed for troubleshooting, the Kerberos Configuration Manager for SQL Server creates a log file in %AppData%\Microsoft\KerberosConfigMgr.
Comments
- Anonymous
November 25, 2017
The comment has been removed - Anonymous
November 29, 2017
Note: for Availability Group listener discovery the tool has to be 'Run as administrator' (environment: Windows 2016, SQL 2016 SP1)Great tool! Thanks - Anonymous
June 05, 2018
I must be missing something. I've got clean, Win2016, SQL 2017 with CU5 servers in AlwaysOn configuration. I can connect via SMSS to both individual engines and the availability group listener. I'm a domain admin, have no stranded/disabled accounts in any group that is a local admin on these two servers. I've tried using the tool locally and remotely...both as regular user and administrator.6/5/2018 4:20:26 PM Info: Connect to WMI, \root\cimv26/5/2018 4:20:33 PM Error: Access of User Principal information failed System.DirectoryServices.AccountManagement.PrincipalServerDownException: The server could not be contacted. ---> System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.- Anonymous
October 09, 2018
This issue is better worked through our support channels.
- Anonymous
- Anonymous
October 12, 2018
Hi Perdo, hi Amit,first of all: thank you for this great tool. It really helps a lot checking and fixing SPN Settings on a SQL Server.Today I have made an interesting discovery.The tool is not working properly when managed service accounts (MSA) are involved.The SPN tab is working fine, e.g. Required SPNs are listed etc ppBut on the Delegation tab I can only see my MSA under the service account column but not the delegations I have defined.The delegation is working fine though (tested through linked server conenction to a different SQL server forwarding the current login credentials).Will MSAs or even gMSAs supported at a later stage?Best RegardsDirk- Anonymous
October 26, 2018
There are no plans to extend the tool for now. Please add that feedback into http://aka.ms/sqlfeedback with some considerations on your scenario. Thank you
- Anonymous