New tool: "Microsoft Kerberos Configuration Manager for SQL Server" is ready to resolve your Kerberos/Connectivity issues


 

You can download “Microsoft Kerberos Configuration Manager for SQL Server” from here 

 

Microsoft Kerberos Configuration Manager for SQL Server is a diagnostic tool that helps troubleshoot Kerberos related connectivity issues with SQL Server.

Kerberos authentication provides a highly secure method to authenticate client and server entities (security principals) on a network.  To use Kerberos authentication with SQL Server, a Service Principal Name (SPN) must be registered with Active Directory, which plays the role of the Key Distribution Center in a Windows domain.  In addition, many customers also enable delegation for multi tier applications using SQL Server.  In such a setup, it may be difficult to troubleshoot the connectivity problems with SQL Server when Kerberos authentication fails.

The Kerberos Configuration Manager for SQL Server is a diagnostic tool that helps troubleshoot Kerberos related connectivity issues with SQL Server.   It can perform the following functions:

  • Gather information on OS and Microsoft SQL Server instances installed on a server.
  • Report on all SPN and delegation configurations on the server.
  • Identify potential problems in SPNs and delegations.
  • Fix potential SPN problems.
Supported Operating System

       Windows 7, Windows 8, Windows Server 2008 R2 SP1, Windows Server 2012

       The following are required on the machine where the Kerberos Configuration Manager for SQL Server is launched: 

    • .Net framework 4.0 or higher

 

To Install:

  1. Download the 32bit or 64bit version of the Kerberos Configuration Manager installer that matches your computer’s OS architecture.
  2. Click Open to start the installation immediately or click Save to save the installation .msi file to disk and install it later.
  3. Accept the license term of this tool.
  4. Click Next to complete the installation.

To Launch the Tool:

  1. After the installation is complete successfully, double click the KerberosConfigMgr.exe  to launch the application.

To Generate SPN List from Command Line:

  1. Go to command line.
  2. Switch to the folder where KerberosConfigMgr.exe is.
  3. Type KerberosConfigMgr.exe -q -l
  4. For more command line option, type KerberosConfigMgr.exe -h

To Save a Server’s Kerberos Configuration Information:

  1. Connect to the target windows server.
  2. Click on Save button on the toolbar
  3. Specify the location where you want the file to be saved at.  It can be on a local drive or network share.
  4. The file will be saved as .XML format.

To View a Server’s Kerberos Configuration Information from Saved File:

  1. Click on the Load button on the toolbar.
  2. Open the XML file generated by Kerberos Configuration Manager.

To Generate a Script to Fix SPN from Command Line:

  1. Click on the Generate button for the SPN entry.
  2. The generated script can be used by a user who has privilege to fix the SPN on the server.

To See the Log Files for this Tool:

  1. By default, one log file is generated in the user’s application data folder.

To Get Help:
Option 1: Hover the mouse cursor over the command for tooltip. 
Option 2:  Run KerberosConfigMgr.exe –h from command line
Option 3: Click the Help button in the toolbar.

Comments (9)

  1. Derek Wharton says:

    Is there a way to check multiple servers?

  2. Rob says:

    Is anyone else getting "Unable to connect to server" errors when specifying a valid server name?  I also tried the instance name but then get an "Invalid namespace" error.

    1. Anatoliy says:

      check firewall on SQL server

  3. ajaymalloc says:

    I too get "Unable to connect to server" error when I try to login using my Domain Account from my desktop that has local admin on db server including the sysadmina access to SQL Server 2008 R2.

    Even tried installing this on server and tried connecting to local both without and with all input parameters. But the error remained same.

  4. ajaymalloc says:

    Also did not find anything special on this page that is not already there on "http://www.microsoft.com/…/details.aspx

    Did not understand why is thi sblog then???

  5. Andrew says:

    I'm getting "Unable to access User Principal information from the System". I've tried a variety of accounts that all have Local Admin rights. I wonder what this relies on in particular…

  6. Derek says:

    Why on earth does the tool not support AlwaysOn Availability groups and Kerberos enabling the listener?

  7. willtwc says:

    So i downloaded the tool to troubleshoot when Kerebos was broken after downgrading to Development edition.  I'm getting "Unable to connect to server" error. No other messages is provided to indicate what the problem maybe. The tool does not tell me what I already know.

  8. CJ says:

    I'm getting the error "Unable to access User Principle information from the System.  One thing I wonder is that this customer is on Office 365 so their "users" are in the cloud (so to speak).  I've used this tool on other customers with no issue.

Skip to main content