为 Kerberos 连接注册服务主体名称Register a Service Principal Name for Kerberos Connections

适用于:Applies to: 是SQL ServerSQL Server(所有支持的版本)yesSQL ServerSQL Server (all supported versions) 适用于:Applies to: 是SQL ServerSQL Server(所有支持的版本)yesSQL ServerSQL Server (all supported versions)

若要将 Kerberos 身份验证用于 SQL Server,必须满足以下两个条件:To use Kerberos authentication with SQL Server requires both the following conditions to be true:

  • 客户端计算机和服务器计算机必须属于同一 Windows 域或在可信域中。The client and server computers must be part of the same Windows domain, or in trusted domains.

  • 服务主体名称 (SPN) 必须在 Active Directory 中进行注册,后者在 Windows 域中起到密钥分发中心的作用。A Service Principal Name (SPN) must be registered with Active Directory, which assumes the role of the Key Distribution Center in a Windows domain. SPN 在注册后会映射到启动 SQL Server 实例服务的 Windows 帐户。The SPN, after it's registered, maps to the Windows account that started the SQL Server instance service. 如果未进行 SPN 注册或注册失败,则 Windows 安全层无法确定与 SPN 关联的帐户,因而无法使用 Kerberos 身份验证。If the SPN registration hasn't been performed or fails, the Windows security layer can't determine the account associated with the SPN, and Kerberos authentication isn't used.

    备注

    如果服务器无法自动注册 SPN,则必须手动注册 SPN。If the server can't automatically register the SPN, the SPN must be registered manually. 请参阅 手动注册 SPNSee Manual SPN Registration.

可以通过查询 sys.dm_exec_connections 动态管理视图来验证连接使用的是否为 Kerberos。You can verify that a connection is using Kerberos by querying the sys.dm_exec_connections dynamic management view. 请运行下面的查询并检查 auth_scheme 列的值,如果 Kerberos 已启用,该值应为“KERBEROS”。Run the following query and check the value of the auth_scheme column, which will be "KERBEROS" if Kerberos is enabled.

SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@spid ;

提示

MicrosoftMicrosoft Kerberos Configuration Manager for SQL Server 是一款诊断工具,可帮助解决与 Kerberos Configuration Manager for SQL Server 相关的连接问题。MicrosoftMicrosoft Kerberos Configuration Manager for SQL Server is a diagnostic tool that helps troubleshoot Kerberos related connectivity issues with SQL Server. 有关详细信息,请参阅 Microsoft Kerberos Configuration Manager for SQL ServerFor more information, see Microsoft Kerberos Configuration Manager for SQL Server.

SPN 在身份验证过程中所起的作用The Role of the SPN in Authentication

当应用程序打开连接并使用 Windows 身份验证时,SQL Server Native Client 会传递 SQL Server 计算机名称、实例名称和 SPN(可选)。When an application opens a connection and uses Windows Authentication, SQL Server Native Client passes the SQL Server computer name, instance name and, optionally, an SPN. 如果该连接传递了 SPN,则使用它时不对它做任何更改。If the connection passes an SPN, it's used without any changes.

如果该连接未传递 SPN,则将根据所使用的协议、服务器名和实例名构造一个默认的 SPN。If the connection doesn't pass an SPN, a default SPN is constructed based on the protocol used, server name, and the instance name.

在上面这两种情况下,都会将 SPN 发送到密钥分发中心以获取用于对连接进行身份验证的安全标记。In both of the preceding scenarios, the SPN is sent to the Key Distribution Center to obtain a security token for authenticating the connection. 如果无法获取安全标记,则身份验证采用 NTLM。If a security token can't be obtained, authentication uses NTLM.

服务主体名称 (SPN) 是客户端用来唯一标识服务实例的名称。A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. Kerberos 身份验证服务可以使用 SPN 对服务进行身份验证。The Kerberos authentication service can use an SPN to authenticate a service. 当客户端想要连接到某个服务时,它将查找该服务的实例,并为该实例编写 SPN,然后连接到该服务并显示该服务的 SPN 以进行身份验证。When a client wants to connect to a service, it locates an instance of the service, composes an SPN for that instance, connects to the service, and presents the SPN for the service to authenticate.

备注

本主题中提供的信息还适用于使用聚类分析的 SQL Server 配置。The information that is provided in this topic also applies to SQL Server configurations that use clustering.

Windows 身份验证是向 SQL Server 验证用户身份的首选方法。Windows Authentication is the preferred method for users to authenticate to SQL Server. 使用 Windows 身份验证的客户端通过 NTLM 或 Kerberos 进行身份验证。Clients that use Windows Authentication are authenticated by either using NTLM or Kerberos. 在 Active Directory 环境中,始终首先尝试 Kerberos 身份验证。In an Active Directory environment, Kerberos authentication is always attempted first. Kerberos 身份验证不可用于使用命名管道的 SQL Server 2005 (9.x)SQL Server 2005 (9.x) 客户端。Kerberos authentication isn't available for SQL Server 2005 (9.x)SQL Server 2005 (9.x) clients using named pipes.

权限Permissions

当启动数据库引擎服务时,它将尝试注册服务主体名称 (SPN)。When the Database Engine service starts, it attempts to register the Service Principal Name (SPN). 假设启动 SQL Server 的帐户无权在 Active Directory 域服务中注册 SPN。Suppose the account starting SQL Server doesn't have permission to register an SPN in Active Directory Domain Services. 在这种情况下,此调用将失败,并且会在应用程序事件日志以及 SQL Server 错误日志中记录警告消息。In that case, this call fails, and a warning message is logged in the Application event log as well as the SQL Server error log. 若要注册 SPN,数据库引擎必须在内置帐户(如 Local System (不建议使用)或 NETWORK SERVICE)或有权注册 SPN 的帐户下运行。To register the SPN, the Database Engine must be running under a built-in account, such as Local System (not recommended), or NETWORK SERVICE, or an account that has permission to register an SPN. 可以使用域管理员帐户注册 SPN,但不建议在生产环境中使用此帐户。You can register an SPN using a domain administrator account, but this is not recommended in a production environment. 在 Windows 7 或 Windows Server 2008 R2 操作系统上运行 SQL Server 时,可以使用虚拟帐户或托管服务帐户 (MSA) 运行 SQL Server。When SQL Server runs on the Windows 7 or Windows Server 2008 R2 operating system, you can run SQL Server using a virtual account or a managed service account (MSA). 虚拟帐户和 MSA 都可以注册 SPN。Both virtual accounts and MSA's can register an SPN. 如果 SQL Server 不在上述任一帐户下运行,则启动时不会注册 SPN,此时,域管理员必须手动注册 SPN。If SQL Server isn't running under one of these accounts, the SPN isn't registered at startup, and the domain administrator must register the SPN manually.

备注

将 Windows 域配置为在低于 Windows Server 2008 R2 Windows Server 2008 R2 功能级别的级别上运行时,托管服务帐户将不具有注册 SQL Server 数据库引擎SQL Server Database Engine 服务的 SPN 所需的权限。When the Windows domain is configured to run at less than the Windows Server 2008 R2 Windows Server 2008 R2 functional level, then the Managed Service Account will not have the necessary permissions to register the SPNs for the SQL Server 数据库引擎SQL Server Database Engine service. 如果需要进行 Kerberos 身份验证,域管理员应手动在托管服务帐户上注册 SQL Server SPN。If Kerberos authentication is required, the Domain Administrator should manually register the SQL Server SPNs on the Managed Service Account.

有关其他信息,请参阅 How to Implement Kerberos Constrained Delegation with SQL Server 2008(如何使用 SQL Server 2008 实现 Kerberos 约束委派)Additional information is available at How to Implement Kerberos Constrained Delegation with SQL Server 2008

SPN 格式SPN Formats

SQL Server 2008SQL Server 2008开始,SPN 格式已发生更改,目的是为了支持对 TCP/IP、Named Pipes 和 Shared Memory 进行 Kerberos 身份验证。Beginning with SQL Server 2008SQL Server 2008, the SPN format is changed in order to support Kerberos authentication on TCP/IP, named pipes, and shared memory. 所支持的命名实例和默认实例的 SPN 格式如下所示。The supported SPN formats for named and default instances are as follows.

命名实例Named instance

  • MSSQLSvc/<FQDN>:[<port> | <instancename>],其中:MSSQLSvc/<FQDN>:[<port> | <instancename>], where:

    • MSSQLSvc 是要注册的服务。MSSQLSvc is the service that is being registered.

    • <FQDN> 是服务器的完全限定域名。<FQDN> is the fully qualified domain name of the server.

    • <port> 是 TCP 端口号。<port> is the TCP port number.

    • <instancename> 是 SQL Server 实例的名称。<instancename> is the name of the SQL Server instance.

默认实例Default instance

  • MSSQLSvc/<FQDN>:<port> | MSSQLSvc/<FQDN>,其中:MSSQLSvc/<FQDN>:<port> | MSSQLSvc/<FQDN>, where:

    • MSSQLSvc 是要注册的服务。MSSQLSvc is the service that is being registered.

    • <FQDN> 是服务器的完全限定域名。<FQDN> is the fully qualified domain name of the server.

    • <port> 是 TCP 端口号。<port> is the TCP port number.

    备注

    新 SPN 格式不需要端口号。The new SPN format doesn't require a port number. 这意味着,多端口服务器或不使用端口号的协议都可以使用 Kerberos 身份验证。This means that a multiple-port server or a protocol that doesn't use port numbers can use Kerberos authentication.

SPN 格式SPN format 说明Description
MSSQLSvc/<FQDN>:<port>MSSQLSvc/<FQDN>:<port> 使用 TCP 时访问接口生成的默认 SPN。The provider-generated, default SPN when TCP is used. <port> 为 TCP 端口号。<port> is a TCP port number.
MSSQLSvc/<FQDN>MSSQLSvc/<FQDN> 使用除 TCP 之外的协议时访问接口生成的用于默认实例的默认 SPN。The provider-generated, default SPN for a default instance when a protocol other than TCP is used. <FQDN> 是一个完全限定域名。<FQDN> is a fully qualified domain name.
MSSQLSvc/<FQDN>:<instancename>MSSQLSvc/<FQDN>:<instancename> 使用除 TCP 之外的协议时访问接口生成的用于命名实例的默认 SPN。The provider-generated, default SPN for a named instance when a protocol other than TCP is used. <instancename> 是 SQL Server 实例的名称。<instancename> is the name of an instance of SQL Server.

备注

对于 TCP/IP 连接,由于 SPN 中包括 TCP 端口,因此 SQL Server 必须启用 TCP 协议,以便用户使用 Kerberos 身份验证进行连接。In the case of a TCP/IP connection, where the TCP port is included in the SPN, SQL Server must enable the TCP protocol for a user to connect by using Kerberos authentication.

自动注册 SPNAutomatic SPN Registration

SQL Server 数据库引擎SQL Server Database Engine 的实例启动时,SQL Server 将尝试为 SQL Server 服务注册 SPN。When an instance of the SQL Server 数据库引擎SQL Server Database Engine starts, SQL Server tries to register the SPN for the SQL Server service. 实例停止时,SQL Server 将尝试取消此 SPN 的注册。When the instance is stopped, SQL Server tries to unregister the SPN. 对于 TCP/IP 连接,注册 SPN 时使用的格式为 MSSQLSvc/<FQDN>:<tcpport>。命名实例和默认实例均注册为 MSSQLSvc,根据 <tcpport> 值来区分这些实例。For a TCP/IP connection, the SPN is registered in the format MSSQLSvc/<FQDN>:<tcpport>.Both named instances and the default instance are registered as MSSQLSvc, relying on the <tcpport> value to differentiate the instances.

对于支持 Kerberos 的其他连接,为命名实例注册 SPN 时使用的格式为 MSSQLSvc/<FQDN>/<instancename> 。For other connections that support Kerberos the SPN is registered in the format MSSQLSvc/<FQDN>/<instancename> for a named instance. 注册默认实例的格式为 MSSQLSvc/<FQDN>。The format for registering the default instance is MSSQLSvc/<FQDN>.

如果服务帐户缺少执行这些操作所需的权限,在注册或取消注册 SPN 时可能需要进行手动干预。Manual intervention might be required to register or unregister the SPN if the service account lacks the permissions that are required for these actions.

手动注册 SPNManual SPN Registration

若要手动注册 SPN,管理员必须使用随 Microsoft Windows Server 2003Windows Server 2003 支持工具提供的 Setspn.exe 工具。To register the SPN manually, the administrator must use the Setspn.exe tool that is provided with the Microsoft Windows Server 2003Windows Server 2003 Support Tools. 有关详细信息,请参阅 Windows Server 2003 Service Pack 1 Support Tools (Windows Server 2003 Service Pack 1 支持工具)知识库文章。For more information, see the Windows Server 2003 Service Pack 1 Support Tools KB article.

Setspn.exe 是一个命令行工具,你可通过该工具读取、修改和删除服务主体名称 (SPN) 目录属性。Setspn.exe is a command-line tool that enables you to read, modify, and delete the Service Principal Names (SPN) directory property. 您还可借助此工具查看当前 SPN、重置帐户的默认 SPN 以及添加或删除补充 SPN。This tool also enables you to view the current SPNs, reset the account's default SPNs, and add or delete supplemental SPNs.

以下示例说明了用于为使用域用户帐户的 TCP/IP 连接手动注册 SPN 的语法:The following example illustrates the syntax used to manually register an SPN for a TCP/IP connection using a domain user account:

setspn -A MSSQLSvc/myhost.redmond.microsoft.com:1433 redmond\accountname  

备注

如果 SPN 已存在,则必须在重新注册该 SPN 之前将其删除。If an SPN already exists, it must be deleted before it can be reregistered. 可以使用带有 setspn 开关的 -D 命令实现此操作。You do this by using the setspn command together with the -D switch. 以下示例说明如何手动注册基于新实例的 SPN。The following examples illustrate how to manually register a new instance-based SPN. 对于使用域用户帐户的默认实例,使用:For a default instance using a domain user account, use:

setspn -A MSSQLSvc/myhost.redmond.microsoft.com redmond\accountname  

对于命名实例,请使用:For a named instance, use:

setspn -A MSSQLSvc/myhost.redmond.microsoft.com:instancename redmond\accountname  

客户端连接Client Connections

客户端驱动程序支持用户指定的 SPN。User-specified SPNs are supported in client drivers. 但是,如果未提供 SPN,则将根据客户端连接类型自动生成 SPN。However, if an SPN isn't provided, it will be generated automatically based on the type of a client connection. 对于 TCP 连接,为命名实例和默认实例使用 MSSQLSvc/FQDN:[port] 格式的 SPN。For a TCP connection, an SPN in the format MSSQLSvc/FQDN:[port] is used for both the named and default instances.

对于 Named Pipes 和 Shared Memory 连接,对命名实例使用 MSSQLSvc/<FQDN>:<instancename> 格式的 SPN,对默认实例使用 MSSQLSvc/<FQDN> 格式 。For named pipes and shared memory connections, an SPN in the format MSSQLSvc/<FQDN>:<instancename> is used for a named instance and MSSQLSvc/<FQDN> is used for the default instance.

将服务帐户用作 SPNUsing a service account as an SPN

可将服务帐户用作 SPN。Service accounts can be used as an SPN. 可以通过 Kerberos 身份验证的连接属性指定服务帐户,并采用以下格式:They're specified through the connection attribute for the Kerberos authentication and take the following formats:

  • username@domain 或 domain\username(适用于域用户帐户)username@domain or domain\username for a domain user account

  • machine$@domain 或 host\FQDN(适用于计算机域帐户,如 Local System 或 NETWORK SERVICES)。machine$@domain or host\FQDN for a computer domain account such as Local System or NETWORK SERVICES.

若要确定连接的身份验证方法,请执行下面的查询。To determine the authentication method of a connection, execute the following query.

SELECT net_transport, auth_scheme   
FROM sys.dm_exec_connections   
WHERE session_id = @@SPID;  

身份验证默认值Authentication Defaults

下表说明根据 SPN 注册情况所使用的身份验证默认值。The following table describes the authentication defaults that are used based on SPN registration scenarios.

场景Scenario 身份验证方法Authentication method
SPN 映射到正确的域帐户、虚拟帐户、MSA 或内置帐户。The SPN maps to the correct domain account, virtual account, MSA, or built-in account. 例如 Local System 或 NETWORK SERVICE。For example, Local System or NETWORK SERVICE. 本地连接使用 NTLM,远程连接使用 Kerberos。Local connections use NTLM, remote connections use Kerberos.
SPN 是正确的域帐户、虚拟帐户、MSA 或内置帐户。The SPN is the correct domain account, virtual account, MSA, or built-in account. 本地连接使用 NTLM,远程连接使用 Kerberos。Local connections use NTLM, remote connections use Kerberos.
SPN 映射到不正确的域帐户、虚拟帐户、MSA 或内置帐户。The SPN maps to an incorrect domain account, virtual account, MSA, or built-in account 身份验证失败。Authentication fails.
SPN 查找失败或未映射到正确的域帐户、虚拟帐户、MSA 或内置帐户,或者不是正确的域帐户、虚拟帐户、MSA 或内置帐户。The SPN lookup fails or doesn't map to a correct domain account, virtual account, MSA, or built-in account, or isn't a correct domain account, virtual account, MSA, or built-in account. 本地和远程连接使用 NTLM。Local and remote connections use NTLM.

备注

“正确”表示注册的 SPN 映射到的帐户是当前运行 SQL Server 服务的帐户。'Correct' means that the account mapped by the registered SPN is the account that the SQL Server service is running under.

注释Comments

专用管理员连接 (DAC) 使用一个基于实例名称的 SPN。The Dedicated Administrator Connection (DAC) uses an instance name-based SPN. 如果成功注册 SPN,则可以将 Kerberos 身份验证用于 DAC。Kerberos authentication can be used with a DAC if that SPN is registered successfully. 用户也可以选择将帐户名指定为 SPN。As an alternative a user can specify the account name as an SPN.

如果在启动过程中 SPN 注册失败,将在 SQL Server 错误日志中记录此失败,而启动过程将继续进行。If SPN registration fails during startup, this failure is recorded in the SQL Server error log, and startup continues.

如果在关闭时 SPN 取消注册失败,将在 SQL Server 错误日志中记录此失败,而关闭过程将继续进行。If SPN de-registration fails during shutdown, this failure is recorded in the SQL Server error log, and shutdown continues.

另请参阅See Also