dbatoolsTest-DbaKerberos
View SourceSynopsis
Tests Kerberos authentication configuration for SQL Server instances by performing comprehensive diagnostic checks.
Description
This function performs a comprehensive suite of diagnostic checks to troubleshoot Kerberos authentication issues for SQL Server instances. It addresses the most common causes of Kerberos authentication failures including SPN configuration problems, DNS issues, time synchronization errors, service account configuration, network connectivity problems, and security policy misconfigurations.
The function performs 20 checks across 9 categories (plus additional checks per AG listener):
SPN (1-2+ checks):
- SPN Registration - Verifies required SPNs are registered using Test-DbaSpn
- AG Listener SPN - One check per Availability Group listener (if any exist)
Time Sync (2 checks):
- Client-Server time synchronization (5-minute Kerberos threshold)
- Server-DC time synchronization
DNS (3 checks):
- Forward lookup verification
- Reverse lookup verification
- CNAME detection (CNAMEs break Kerberos)
Service Account (3 checks):
- Service account type validation (gMSA, domain account, built-in accounts)
- Account lock status in Active Directory
- Delegation settings (“sensitive and cannot be delegated” flag)
Authentication (1 check):
- Current authentication scheme (Kerberos vs NTLM)
Network (3 checks):
- Kerberos port TCP/88 connectivity to DC
- LDAP port TCP/389 connectivity to DC
- Kerberos-Kdc port TCP/464 connectivity to DC
Security Policy (3 checks):
- Kerberos encryption types configuration
- Computer secure channel health
- Hosts file entries that may override DNS
SQL Configuration (2 checks):
- SQL Server service account configuration
- Network protocol configuration (TCP/IP enabled)
Client (1 check):
- Kerberos ticket cache inspection via klist
Each check returns a structured result with ComputerName, InstanceName, Check, Category, Status (Pass/Fail/Warning), Details, and Remediation recommendations.
Note: When using -ComputerName instead of -SqlInstance, SQL Server-specific checks (service account, authentication scheme, network protocols) are skipped.
Syntax
Test-DbaKerberos -SqlInstance <DbaInstanceParameter[]>
[-SqlCredential <PSCredential>]
[-Credential <PSCredential>]
[-EnableException]
[<CommonParameters>]
Test-DbaKerberos -ComputerName <DbaInstanceParameter[]>
[-SqlCredential <PSCredential>]
[-Credential <PSCredential>]
[-EnableException]
[<CommonParameters>]
Examples
Example: 1
PS C:\> Test-DbaKerberos -SqlInstance sql2016
Performs comprehensive Kerberos diagnostic checks for the sql2016 instance, returning pass/fail/warning status for each check with remediation recommendations.
Example: 2
PS C:\> Test-DbaKerberos -SqlInstance sql2016 -SqlCredential (Get-Credential) -Credential (Get-Credential)
Tests Kerberos configuration using SQL credentials to connect to the instance and separate AD credentials for remote WinRM and Active Directory queries.
Example: 3
PS C:\> Test-DbaKerberos -SqlInstance sql2016, sql2019
Tests multiple SQL Server instances in a single command.
Example: 4
PS C:\> Test-DbaKerberos -ComputerName SERVER01 -Credential (Get-Credential)
Tests Kerberos configuration at the computer level using specified credentials for WinRM and AD queries. SQL Server-specific checks are skipped.
Example: 5
PS C:\> Get-DbaRegServer -SqlInstance sqlcentral | Test-DbaKerberos | Where-Object Status -eq "Fail"
Tests all registered servers and returns only the checks that failed, useful for identifying problems across your environment.
Example: 6
PS C:\> Test-DbaKerberos -SqlInstance sql2016 | Where-Object Category -eq "SPN"
Returns only the SPN-related checks for the specified instance.
Example: 7
PS C:\> Test-DbaKerberos -SqlInstance sql2016 | Format-Table -AutoSize
Displays results in a formatted table for easier reading.
Required Parameters
-SqlInstance
The target SQL Server instance or instances to test Kerberos configuration.
Accepts SQL Server instance names and supports pipeline input for bulk testing.
All checks including SQL Server-specific checks will be performed.
| Property | Value |
|---|---|
| Alias | |
| Required | True |
| Pipeline | true (ByValue) |
| Default Value |
-ComputerName
Alternative parameter to specify target computers to test.
Use this when you want to test Kerberos configuration at the computer level rather than for specific SQL instances.
Accepts computer names, IP addresses, or fully qualified domain names.
Note: SQL Server-specific checks will be skipped when using this parameter.
| Property | Value |
|---|---|
| Alias | |
| Required | True |
| Pipeline | true (ByValue) |
| Default Value |
Optional Parameters
-SqlCredential
Login to the target SQL Server instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
-Credential
Credential for remote WinRM connections and Active Directory queries.
Used for Invoke-Command calls to remote servers and for querying AD to verify SPN registrations and service account properties.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
-EnableException
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with “sea of red” exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this “nice by default” feature off and enables you to catch exceptions with your own try/catch.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
Outputs
PSCustomObject
Returns one object per diagnostic check performed (typically 20-25+ checks depending on configuration) with the following properties:
- ComputerName (string) - The name of the computer or SQL Server host that was tested
- InstanceName (string) - The SQL Server instance name if testing an instance; $null if testing at the computer level
- Check (string) - Name of the specific diagnostic check (e.g., “SPN Registration”, “Time Synchronization (Client-Server)”, “DNS Forward Lookup”)
- Category (string) - Category grouping the check: SPN, Time Sync, DNS, Service Account, Authentication, Network, Security Policy, SQL Configuration, or Client
- Status (string) - Result of the check: “Pass” (configuration is correct), “Fail” (configuration error or problem detected), or “Warning” (potential issue or unable to verify)
- Details (string) - Specific details about the check result, including measurements (e.g., time differences in minutes, missing SPNs, port status)
- Remediation (string) - Recommended action to resolve the issue (or “None” if the check passed)
Each check returns a separate PSCustomObject, enabling filtering by Category, Status, or other properties to focus on specific diagnostic areas. Output is returned immediately for each check, enabling real-time monitoring of diagnostic progress. The function may return additional checks for Availability Group listeners if any exist on the instance, each with a check name like “AG Listener SPN -
”.