Database Administration
sql-server spn
Updated Thu, 22 Sep 2022 05:38:23 GMT

Restore over dns alias fails with Operating system error 1326(The user name or password is incorrect.)


following configuration:

  • SQL Server is running on server.domain.intra with an gMSA.
  • DNS alias: server-db-dev.domain.intra
  • gMSA Permissions on backup share: Full Control
  • SPNs set for gMSA:
    • MSSQLSvc/server.domain.intra:1433
    • MSSQLSvc/server.domain.intra
    • MSSQLSvc/server-dev-db1.domain.intra:1433
    • MSSQLSvc/server-dev-db1:1433

Problem: When the restore is started with \server.domain.intra\BackupShare$, the restore finish successfully but with the DNS alias we get the error "Operating system error 1326(The user name or password is incorrect.)"

I have the feeling that the gMSA should be configured to allow to be delegated to the dns alias. Or do you have any other ideas how to solve the problem?

Thank you very much and kind regards, Olaf




Solution

To allow Kerberos Authentication on the network share, you need to add the SPN for the alias with the HOST service (it's actually a group of services), as otherwise the server is not able to create a Kerberos ticket for it.

The server itself does not realize that it is connecting to a loopback, so even if it's on the same server it needs the SPN.

setspn server.domain.intra -s HOST/server-db-dev.domain.intra