Microsoft KB Archive/303411

= You receive a &quot;Warning SuperSocket Info&quot; warning information when a SQL Server service account is a domain user =

Article ID: 303411

Article Last Modified on 11/2/2007

-

APPLIES TO


 * Microsoft SQL Server 2005 Standard Edition
 * Microsoft SQL Server 2005 Developer Edition
 * Microsoft SQL Server 2005 Enterprise Edition
 * Microsoft SQL Server 2005 Express Edition
 * Microsoft SQL Server 2005 Workgroup Edition
 * Microsoft SQL Server 2000 Personal Edition
 * Microsoft SQL Server 2000 Standard Edition
 * Microsoft SQL Server 2000 Workgroup Edition
 * Microsoft SQL Server 2000 Developer Edition
 * Microsoft SQL Server 2000 Enterprise Edition

-



This article was previously published under Q303411



BUG #: 232774 (SHILOH_BUGS)



SYMPTOMS
When SQL Server starts on a computer that is running Microsoft SQL Server 2000 or Microsoft SQL Server 2005, the SQL Server program always attempts to register the virtual server in the Active Directory. The following event may be logged in the event log: SuperSocket info: (SpnRegister): Error 8344 SuperSocket Info: (SPNRegister) : Error 1355 SuperSocket info: SpnUnRegister : Error 8344.

NoteError 1355 is equal to ERROR_NO_SUCH_DOMAIN. Error 8344 is equal to insufficient permissions to perform the registration operation. This is shown as a warning for the SPNRegister function and as an error for the SpnUnRegister function.

This message is not an error message. This text is only a warning that SQL Server cannot register a service principal name (SPN). This indicates that the security mechanism that will be used is Microsoft Windows NT Challenge\Response (NTLM) authentication instead of Kerberos authentication.

These messages should only be considered a problem if your SQL Server installation requires Kerberos authentication or the network security settings prevent fallback to NTLM negotiation. Otherwise, these messages can be ignored safely.



CAUSE
The message usually appears because the SQL Server service account is running as a domain user who does not have requisite permissions to register SPNs. With Microsoft Windows 2000 Service Pack 3 (SP3), you can enable Kerberos authentication on server clusters. For instructions on how to do this, see the following article in the Microsoft Knowledge Base:

319723 Information about SQL Server 2000 Kerberos support, including SQL Server virtual servers on server clusters



RESOLUTION
You can also edit the account's Access Control Settings permissions in the Active Directory directory service to enable the Read servicePrincipalName permission and the Write servicePrincipalName permission for the SQL Service account.

Warning If you use the Active Directory Service Interfaces (ADSI) Edit snap-in, the LDP utility, or any other LDAP version 3 clients, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require that you reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems caused by incorrectly modifying Active Directory object attributes can be solved. Modify these attributes at your own risk.



WORKAROUND
To resolve these type messages and enable the SQL Server service to create SPNs dynamically for your SQL Server instances, ask your domain administrator to add the appropriate permissions and user rights to the SQL Server startup accounts.

To enable the SQL Server service account to establish SPNs correctly on startup, follow these steps:
 * 1) Click Start, click Run, type Adsiedit.msc, and then click OK.
 * 2) In the ADSI Edit window, expand Domain [ ], expand DC=  , expand CN=Users, right-click CN= , and then click Properties.

Notes
 * 1) *  represents the name of the domain.
 * 2) *  is a placeholder for the name of the root domain.
 * 3) *  represents the account that you specify to start the SQL Server service.
 * 4) * If you have specified Local System to start the SQL Server service,  represents the account that you use to log on to Microsoft Windows.
 * 5) * If you have specified a domain user account for the SQL Server service,  represents the domain user account.
 * 6) In the CN=  Properties dialog box, click the Security tab.
 * 7) On the Security tab, click Advanced.
 * 8) In the Advanced Security Settings dialog box, make sure that the SELF user is listed under Permission entries. If the SELF user is not listed, click Add, and then add the SELF user.
 * 9) Under Permission entries, click SELF, and then click Edit.
 * 10) In the Permission Entry dialog box, click the Properties tab.
 * 11) On the Properties tab, click This object only in the Apply onto list, and then make sure that the following permissions are selected under Permissions:
 * 12) * Read servicePrincipalName
 * 13) * Write servicePrincipalName
 * 14) Click OK three times, and then close the ADSI Edit window.

For help with this process, contact Active Directory product support. Refer to this Microsoft Knowledge Base article if you contact product support.

When you perform this workaround, you eliminate SPN issues for new installations or installations that have had the TCP/IP port or domain name modified.



STATUS
Microsoft has confirmed that this is a problem in SQL Server 2000 and SQL Server 2005.

