다음을 통해 공유


Why do we need SPN for File Server (NAS / RAS / File Share System) DNS Alias (Cname)

Very often we use UNC location while taking backup of SQL or Analysis Services Database or try to upload data in SQL Tables using bulk load command where text or csv file located in File Server so we access it by giving UNC.

Sometimes File Server Machine (NAS / RAS or a computer where we have a shared folder) is registered with DNS as an alias instead of real hostname due to whatsoever reasons in such a scenarios if you will try to give alias name in UNC lets say real name of machine is mymachine and alias is myalias; When we try to access a file \\myalias\sharename\file.csv then we may get an error message  “file.csv, could not be opened” thought this is very generic error message” and you wonder that you services account or an account with which you are trying to access that file has full permission on that folder but why are we getting that error.

Reason is missing SPN for DNS Alias (CNAME) record for File Share Server

To register the SPN for the DNS alias (CNAME) records, use the Setspn tool with the following syntax:

setspn -A host/your_ALIAS_name computername

setspn -A host/your_ALIAS_name.company.com computername

or

setspn -A host/myalias mymachine

setspn -A host/myalias.company.com mymachine

You must register the Kerberos service principal names (SPNs), the host name, and the fully-qualified domain name (FQDN) for all the new DNS alias (CNAME) records. If you do not do this, a Kerberos ticket request for a DNS alias (CNAME) record may fail and return the error code KDC_ERR_S_SPRINCIPAL_UNKNOWN.

References

Error message when you try to access a server locally by using its FQDN or its CNAME alias after you install Windows Server 2003 Service Pack 1: "Access denied" or "No network provider accepted the given network path"

· Covers how to make the DNS alias work with file sharing from the file server itself.

https://support.microsoft.com/kb/926642