Hi Sreekanth,

sorry for the long delay.

The difference I see is that you're doing this as administrator.

I'm talking about validated-writes done by an account on it's own
computer object. And that's what [MS-ADTS]
about, also see the parent section Validated Writes

Can you please continue your reserach on this?


> Hello Stefan, simple tests at my end using a test domain controller shows 
> that all of the following values are allowed by MS Windows domain controller. 
> Before I propose any doc changes, can you confirm which domain controller you 
> have used when you say "Testing against a Windows DC shows that **only** 
> numeric characters are allowed after ':'" Did you mean to say the domain 
> controller itself failed to add such SPN ? Or are you saying that it is the 
> SQL Server that didn't find an SPN that has a nonnumeric character after ":"  
> ?
> C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB:1433   lvisser
> C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB:MYINST1   
> lvisser
> C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB/MYINST2   
> lvisser
> C:\Users\Administrator>setspn -l lvisser
> Registered ServicePrincipalNames for CN=lora 
> visser,CN=Users,DC=379135DOM,DC=LAB:
>         MSSQLSvc/myhost.379135DOM.LAB/MYINST2
>         MSSQLSvc/myhost.379135DOM.LAB:MYINST1
>         MSSQLSvc/myhost.379135DOM.LAB:1433
> You can even have MSSQLSvc/myhost.379135DOM.LAB:8989797/MYINST2
> But ultimately, If the SPN does not match the string as constructed by the 
> Service i.e. SQL Server in this case, authentication will fail.

Attachment: signature.asc
Description: OpenPGP digital signature

cifs-protocol mailing list

Reply via email to