Local System Account authentication issue

  • Hi all,

    I have a strange issue, starting these days after applying some microsoft hotfixes (don't know which one caused it, MS09-012 or MS09-013)

    Our Backup software is running under LocalSystem using "integrated" authentication, the SQL Server is running under named domain accounts. This setup worked fine in the past.

    After the patching the backup software cannot authentiate any more and if we trace for authentications we get the following:

    Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

    If I trace the same on another system (not yet patched, where it is still working), I see that

    'NT AUTHORITY\System' is logging in successfully (when the backup software is connecting)

    Did anyone else face a similar behaviour? Is there any known issue with the patches or a workaround to that?

    Thanks and regards

    Andreas

  • Not knowing what those hotfixes are and do, when you get errors like

    Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

    it is usually a Kerberos related problem.

    Do you have kerberos authentication configured for that SQL Instance?

    use this to check what authentication scheme connections are using

    select s.login_name, c.auth_scheme

    from sys.dm_exec_connections as c,

    sys.dm_exec_sessions as s

    where c.session_id = s.session_id

    --
    Andrew Hatfield

  • Hi Andrew,

    Thanks for your reply. One of the hotfixes modified something with the "LocalSystem" Account, I guess that's why it doesn't work any more. We are using Mixed Mode Authentication, the Backup Software is using the Integrated Authentication Mode - so I guess this is really Kerberos.

    In the meantime we found a workaround: We have a dedicated network interface for backups. We found out that it works, when we configure our software in a way to authentication against default NIC, and run the backups over the backup NIC. - However, I still wonder why it worked in the past before we installed those Security Patches. I guess something has been "fixed" with the patch what was fundamental for our backup software to work.

    If we do it like that, we see that a user DOMAIN\COMPUTERNAME$ is connecting successfully, which is a hint that kerberos is used, IIRC.

    regards

    Andreas

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply