Granting a SQL Service account permissions to create SPN’s

Views 34405

When preparing for a SQL Server installation, whether that be for a Stand-alone Instance or a clustered Instance, using a Default or Named Instance, there are a couple of things that you need to take care of so as to reduce the possible issues that may come about. In this blog post we are going to look at 1 of those which relates to Service Principle Names (SPN’s).

SPN’s allow you to connect to an appropriate instance of SQL Server from a remote machine. For this to be able to happen the SPN’s need to already exist. For that to happen every time the Instance of SQL Server is started the appropriate SPN’s need to be created. As your instance is running under a service account you need to grant some permissions to allow this to happen.

Now you may or may not have the appropriate permissions yourself to be able to set this up and may need to ask for assistance from your AD Administrators.

The steps to configure permissions on your SQL Server Service Account are as follows:

1. Start | Run – type Adsiedit.msc

2. Expand DC (Domain Name) | Expand CN (Users) | Right Click Service Account | Properties



3. Select the Security Tab | Click  Advanced

4. Ensure that SELF is listed under the permissions entries

5. On the  Permissions tab edit Self



6. On the  Properties tab ensure to select Read ServicePrincipleName & Write ServicePrincipleName



Further information around this is available in KB 319723.

Leave a Reply

Your email address will not be published. Required fields are marked *


I am a Microsoft Data Platform MVP as well as a Microsoft Certified Master working as the Principal Consultant here at SQL Masters Consulting. When I am not working with the SQL Server Stack I like to get away to the Snow and spend time Snowboarding.