I have an issue where SQL Server 2012 fails to register the SPN when running the MSSQLSERVICE on a domain user account.
If I make the user account a member of the domain admins group, the SQL server registers the SPN successfully.
The problem is that I don't want to make the user account a member of the domain admins group. I want to make the user account a member of a group that specifically assigns the correct permissions for doing this.
Please see this thread for more info:
https://social.technet.microsoft.com/Forums/en-US/274878bb-8388-4106-bf13-1a1ac86ec515/best-practices-sql-domain-accounts-and-permissions?forum=sqlgetstarted
This is what I have done so far:
I have added the domain account as a member of 'spngroup'
In active directory, I have edited the security permissions on spngroup to allow Validated Write to Service Principle Name for all descendant computer objects.
I have also granted permissions to read and write servicePrincipleNames properties for all descendant computer objects.
These settings alone do not seem to be enough.
One thing that is confusing me most is that when selecting the 'apply to' field in the advanced security settings windows, descendant user objects does not have options to grant these 3 permissions,
they only show up if the 'apply to' field is descendant computer objects.
This indicates to me that what I want is impossible to give these permissions to a user account. However, Ican give these permissions to a user account via domain admin. That's a strange conflict.
Thoughts?
Jeff