If the SQL Service Account Principal name doesn’t have Domain Admins permission , You will face this error. you can give read write service principal name permission so that you can safely delegate the permission to the sql service account.
Use adsiedit –
Open Adsiedit.msc – domain (default partition) – Go to the user container
Security – Advanced –
Edit – Allow – Self – Special
Choose Write Principal Name – Apply
Now you can see
Edit – Allow – Self – Access (NONE)
Now make sure both are Checked – Read ServicePrincipalName , Write ServicePrincipalname
To force it (Don’t play on Production)– Restarting the DB Engine will re-register SPN.
Note : If you restart DB engine. It will re register every time in a SQL 2014 Cluster. So leave this permission permanent so that you don’t face SPN issues.
or the Database admin have to provide you the SPNs on every restart of the DB Engine.
Reference – SQL Error log –
The SQL Server Network Interface Library could not register the service principal name(SPN) for the SQL Service.Windows return cod: 0x2098 state:20. Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos.
-- Restarting the DB Engine will re-register SPN.Note : If you restart DB engine. It will re register every time in a SQL 2014 Cluster. So leave this permission permanent so that you don’t face SPN issues.){kind=link}