Using Kerberos configuration manager to resolve Microsoft SQL server SPN issues

Posted in: Technical Track

It’s not uncommon to have authentication issues with Microsoft SQL Server. Not only with users trying to access the server, but problems related to the connection between instances, like AlwaysOn Availability Groups.

The traditional way to solve it is well known, but not simple, as you need to work with the “setspn” command, and its syntax is not that intuitive.

Here’s an example:

setspn –A MSSQLSvc/<SQL Server computer name>:1433 <Domain\Account>

This week I was working on a SQL Server AG build, and guess what? I was not able to connect from one replica to another. The error message is not very intuitive:

“The target principal name is incorrect. Cannot generate SSPI context. (Microsoft SQL Server)”

This message could mean a lot of things, but there’s one thing that may help us: the target instance ERRORLOG. If you find the following messages, you have a SPN registration problem:

The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/abc. domain:<Instance> ] for the SQL Server service. Windows return code: 0x2098, state: 20. Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies and if the SPN has not been manually registered.

Ok, so let’s solve it… Fortunately, Microsoft has a tool called “Kerberos Configuration Manager”, that makes everything easier. The “Kerberos Configuration Manager” is a diagnostic tool, to be used with SQL Server, that helps troubleshooting Kerberos related issues. You can download the tool here.

After the installation, go the application folder and execute “KerberosConfigMgr.exe” binary. Once the application is opened, click on connect, on the right top corner:

Connect to the desired SQL Server instance.
Note: for the local instance, just leave all the fields empty and click on connect.

If you want to connect to a remote instance, to like the following (you can leave the “User Name” and “Password” fields empty for Windows Authentication:

After successfully connecting to the instance, all the related SPN will be shown. You can use the checkboxes on the top to filter the results. For the following case, I’m just showing the SQL Server related ones.

By scrolling right, you can see the status of each one of the registered SPNs. For the example below, both SPNs are “Misplaced”, so we need to fix it.

To have the situation corrected, just click on “Fix All” button, and confirm (click “yes”) on the pop-up:

After that, the tool is going to refresh the SPN status: All good here!

That’s it! All you need to do is install the tool, run the SPN scan and fix the problematic ones. As soon as the situation is normal, you will be able to connect to remote instances without problems and without learning how to use with the “setspn” command.

Learn more about Pythian Services for Microsoft SQL Server.

Want to talk with an expert? Schedule a call with our team to get the conversation started.

About the Author

Inspired by his father, Murilo has been passionate about IT since he was a child. When he broke their first PC at the age of 10, he was able to fix it on his own without his father finding out. Murilo’s passion for working with people coupled with his honesty have helped him establish effective, meaningful relationships with his clients. His colleagues can depend on him for any system-related issues, especially if it’s configuring a system from scratch. When he isn’t working, he can be found enjoying life with his family and watching football.

9 Comments. Leave new

Thanks for this, very helpful


Thanks for a great article. Any idea on why one might receive a message when connecting: System.DirectoryServices.AccountManagement.PrincipalServerDownException: The server could not be contacted. —>

I tried connecting locally (with no creds specified) as well as remotely. No go. My google-fu showed me that others have had this problem to no avail.


It works. Was very helpful indeed. Thank you very much!


HI Murilo Miranda

Very helpful article , Thank you so much :)


I asked the System Admin to do both of these tasks. Fix the SPN issue and Status shows ‘Good’ and also make sure the Service Account in AD to set as Trust this user but I still got this error from Linked Server. “Login failed for users “NT Authority\Anonymous Logon” . Any ideas why


This saved my buns


The was an issue with accessing UserAccount information from the System, Please check logs at %AppData%\Microsoft\KerberosConfigMgr for more information.

Getting error and log is empty


Same error for me:
The was an issue with accessing UserAccount information from the System, Please check logs at %AppData%\Microsoft\KerberosConfigMgr for more information.

Getting error and log is empty


You must close KerberosConfigMgr before log is written.


Leave a Reply

Your email address will not be published. Required fields are marked *