What is user account 'NT AUTHORITY\ANONYMOUS LOGON' ?

  • I have recently inherited a SQL Instance containing a number of databases.

    These databases contain a user account called 'NT AUTHORITY\ANONYMOUS LOGON' and this user account is granted a specific select permission on a specific user table.

    (The public role has also been assigned various select privileges to various tables, so presumably the 'NT AUTHORITY\ANONYMOUS LOGON' user account also has these privileges.

    But I don't understand what this user account is......

    Who uses it?

    Who is able to connect to the database with this user account?

    (There is also a server login called 'NT AUTHORITY\ANONYMOUS LOGON' which is mapped to the equivalent account in each database.

    I've done an internet search and come across numerous posts related to error messages for "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'."

    But I want to take one step back and find out why such a user account is needed in the first place?

    Any thoughts?

  • When the OS can't validate who you are, you are NT AUTHORITY\ANONYMOUS LOGON. You typically see this in double hop situations like when you have a client connecting to SSRS and SSRS isn't on the same server as the SQL Server where the DB is located. As you might have guessed, they shouldn't have done this. Typically the right answer is to get Kerberos delegation correct.

    It sounds like you need to track down the whys as to this security hole and figure out where it's coming from and get that fixed.

    K. Brian Kelley
    @kbriankelley

  • Thanks Brian, it looks like I need to do some further investigation.

    Unfortunately the previous dba has now left the company.

    Being relatively new to the role myself, I need to learn more about Kerberos delegation......

    I am rather worried about non-validated users having permission to read some db tables, and I can't think of what valid reasons there may be to allow this.

    Presumably we have the guest user account 'if' we wanted general users to perform certain actions with the database.

    Thus NT AUTHORITY\ANONYMOUS seems to be quite a security risk - though I appreciate I don't fully understand the purpose of the account, or implications of having it.

    If you're able to direct me to any further reading on this topic, I would gratefully receive it 🙂

  • I have an article on here that talks about Kerberos authentication:

    Configuring Kerberos Authentication[/url]

    That's a good starting point to understand what is happening.

    K. Brian Kelley
    @kbriankelley

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply