You must have a Service Principal Name (SPN) registered with Active Directory for the clients of your company domain to use Kerberos authentication with the SQL Server from the workgroup. In the scenario, the SQL Server from workgroup will become part of the company domain. The client
and SQL Server must be a part of the same domain or in a trusted domain to use Kerberos authentication. Once a SPN is registered, Active Directory acts as the Key Distribution Center (KDC) in a Windows domain, and the SPN will map to the Windows account that started the SQL Server instance. If the SPN registration fails or is not completed, Kerberos authentication will not be used because the Windows
security layer cannot determine if a Windows account is associated with a particular SQL Server instance.
