I'm trying to get Kerberos authentication to work with a named SQL 2008 instance. I've got it working if I connect to the instance as machine_name\instance_name. However, we have multiple A records in DNS for the same host. When I try to connect to the same instance as other_name\instance_name (where "other_name" is another A record that points to the same IP address as "machine_name"), it falls back to NTLM authentication. I've added the following SPN records:
- MSSQLSvc/other_name:port service_account
- MSSQLSvc/other_name:instance_name service_account
- HOST/other_name machine_name
- HOST/other_name.fqdn machine_name
I don't know where to go from here. Any ideas?
This might be helpful: Understanding Kerberos and NTLM authentication in SQL Server Connections
From what I've heard from AD admins in the past is that Kerberos doesn't work well with aliases. I have a feeling your best bet is to find all of the machines that reference the alias names and reconfigure them to use the machine name that is registered in Active Directory. You may be able to get lucky and drop SQL Server client network aliases on the machines that you can't figure out how to reconfigure. The client network aliases can point to the server name registered in AD and I have a feeling that will work as well. Good luck.