dbatoolsTest-DbaKerberos
View SourceSynopsis
Tests Kerberos authentication configuration for SQL Server instances by performing comprehensive diagnostic checks
Description
This function performs a comprehensive suite of diagnostic checks to troubleshoot Kerberos authentication issues for SQL Server instances. It addresses the most common causes of Kerberos authentication failures including SPN configuration problems, DNS issues, time synchronization errors, service account configuration, network connectivity problems, and security policy misconfigurations.
The function performs 25+ checks across multiple categories:
- SPN validation (duplicate detection, format validation, ownership verification)
- Time synchronization (client-server and server-DC time comparisons)
- DNS resolution (forward/reverse lookups, CNAME detection)
- Service account configuration (lock status, delegation settings)
- Network connectivity (Kerberos and LDAP port testing)
- Security policy validation (encryption types, secure channel)
- SQL Server configuration (service account, network protocols)
- Authentication verification (current auth scheme validation)
Each check returns a structured result with status (Pass/Fail/Warning), detailed findings, and actionable remediation recommendations. Use the -Detailed switch for verbose diagnostic output including intermediate check results.
This command is essential for troubleshooting authentication failures, validating Kerberos setup before migrations, performing security audits, and as part of regular maintenance to ensure proper authentication across SQL Server environments.
Syntax
Test-DbaKerberos -SqlInstance <DbaInstanceParameter[]>
[-SqlCredential <PSCredential>]
[-Credential <PSCredential>]
[-Detailed]
[-EnableException]
[<CommonParameters>]
Test-DbaKerberos -ComputerName <DbaInstanceParameter[]>
[-SqlCredential <PSCredential>]
[-Credential <PSCredential>]
[-Detailed]
[-EnableException]
[<CommonParameters>]
Examples
Example: 1
PS C:\> Test-DbaKerberos -SqlInstance sql2016
Performs comprehensive Kerberos diagnostic checks for the sql2016 instance, returning pass/fail status for each check.
Example: 2
PS C:\> Test-DbaKerberos -SqlInstance sql2016 -Detailed
Performs comprehensive Kerberos diagnostic checks with detailed output including verbose findings and intermediate results.
Example: 3
PS C:\> Test-DbaKerberos -SqlInstance sql2016, sql2019 -Credential (Get-Credential)
Tests multiple SQL Server instances using specified credentials for AD queries.
Example: 4
PS C:\> Test-DbaKerberos -ComputerName SERVER01 -SqlCredential ad\sqldba
Tests Kerberos configuration for all SQL instances on SERVER01 using specified AD credentials.
Example: 5
PS C:\> Get-DbaRegServer -SqlInstance sqlcentral | Test-DbaKerberos | Where-Object Status -eq "Fail"
Tests all registered servers and returns only the checks that failed, useful for identifying problems across your environment.
Required Parameters
-SqlInstance
The target SQL Server instance or instances to test Kerberos configuration.
Accepts SQL Server instance names and supports pipeline input for bulk testing.
The function will perform comprehensive Kerberos diagnostics for each specified instance.
| Property | Value |
|---|---|
| Alias | |
| Required | True |
| Pipeline | true (ByValue) |
| Default Value |
-ComputerName
Alternative parameter to specify target computers to test.
Use this when you want to test Kerberos configuration at the computer level rather than for specific SQL instances.
Accepts computer names, IP addresses, or fully qualified domain names.
| Property | Value |
|---|---|
| Alias | |
| Required | True |
| Pipeline | true (ByValue) |
| Default Value |
Optional Parameters
-SqlCredential
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
-Credential
Alternative credential for connecting to Active Directory.
Required for querying AD to verify SPN registrations and service account properties.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
-Detailed
Returns detailed diagnostic output including intermediate check results and verbose findings.
Use this switch when you need comprehensive troubleshooting information beyond pass/fail status.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
-EnableException
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with “sea of red” exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this “nice by default” feature off and enables you to catch exceptions with your own try/catch.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |