Hi all,
I am confused by a situation I am facing.
I have an availability group configured with two nodes.
If I follow the instructions below :
https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/listeners-client-connectivity-application-failover?view=sql-server-2017#SPNs
I need to create the spn using the listener :
setspn -s MSSQLSvc/listener.domain.com DOMAIN\gmsaAccount
setspn -s MSSQLSvc/listener.domain.com:INSTANCENAME DOMAIN\gmsaAccount
setspn -s MSSQLSvc/listener.domain.com:1433 DOMAIN\gmsaAccount
At this point my connection is not using Kerberos:
So I add the following :
SetSPN -s "MSSQLSvc/node1.domain.com:INSTANCENAME DOMAIN\gmsaAccount
SetSPN -s "MSSQLSvc/node1.domain.com:INSTANCEPORT DOMAIN\gmsaAccount
SetSPN -s "MSSQLSvc/node2.domain.com:INSTANCENAME DOMAIN\gmsaAccount
SetSPN -s "MSSQLSvc/node2.domain.com:INSTANCEPORT DOMAIN\gmsaAccount
Now it works. So I remove the spn using the listener to see what happens :
setspn -D MSSQLSvc/listener.domain.com DOMAIN\gmsaAccount
setspn -D MSSQLSvc/listener.domain.com:INSTANCENAME DOMAIN\gmsaAccount
setspn -D MSSQLSvc/listener.domain.com:1433 DOMAIN\gmsaAccount
The connection is still using Kerberos.
So now I wonder what is the point of creating the spn for the listener ?
Is it relevant ?
Thanks for your help