NT AUTHORITY\ANONYMOUS LOGON failure

  • I have read countless threads/articles on this and still have the problem. Here is the history.

    Moved an ASP.NET website and SQL 2000 database from SBS2003 to separate IIS and SQL Server. The new IIS 7.5 server is on a separate server from the SQL 2008 R2 Server.

    The IIS 7.5 website is using Windows authentication and ASP.NET impersonation. I want to use the original callers credentials so I can do granular role authorization in the database for specific domain users. I added Kerberos to the IIS Authentication Providers. The IIS server is set-up for contrained delegation and has access to the MSSQLSvc services on the SQL Server.

    I ran sp_helpuser on the database to make sure each User in the database is mapped to a SQL Login. Everything looks OK, I think. There are no NULL Login listed for any UserName

    The problem:

    Only one user, let's call him <domain>\<user1> can access the database. All other users get Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. This happens when the user tries to make a connection to the SQL database. If the user is accessing a page without any database access, there is no problem. The role based security trimming in ASP.NET works fine.

    I have tried both ApplicationPoolIdentity and NetworkService as the IIS process identitiy. I added NT AUTHORITY\NETWORK SERVICE as db_owner per one article. I have tried adding and removing NTLM, Negotiate, and Negotiate: Kerboeros to the IIS Authentication providers with varying error messages as the result - no solutions.

    Nothing seems to work. What gives? Any help is really appreciated.

  • Might be worth running profiler while attempting logging in via the web site with:

    1. a user who can successfully log in.

    2. a user who cannot log in.

    check what the NTUserName column says. in profiler select Audit Login and Audit Login Failed.

    Sorry this does not give your answer, but it may help lead you there.

    I had a case similar to this once. it turned out the site was hitting the db using the server local account ( $servername). profiler helped nail this one for me. post more details once you run the trace.

  • This was removed by the editor as SPAM

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply