2017 R1

Using Kerberos Authentication With SQL ServerPermanent link for this heading

Keep in mind that if a domain user account is used for the database services, the SPN (Service Principal Name) has to be set for a secure Kerberos authentication.

More information can be found in the MSDN:

Run setspn –A MSSQLSvc/<FQDN>:<PORT> <SQL Service Account> as a domain administrator. If a service principal name is not set incoming Microsoft SQL Server connections will be authenticated using NTLM instead of Kerberos authentication.

Example:

setspn -A MSSQLSvc/server08.comp.com SQLSrv

Run setspn -L <SQL Service Account> to list all the SPNs that are registered to the domain user account who runs the instance of Microsoft SQL Server.

Example:

setspn –L SQLSrv