patternMinor
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Token-based server access validation failed
Viewed 0 times
logonanonymoususerloginauthorityvalidationtokenreasonforfailed
Problem
As the title states, I'm getting the following error when attempting to use a ASP.NET webapp:
This is from the "Application" log on the SQL server. I currently have a clustered setup (using Microsoft Failover Cluster) although the second node has not been configured yet. I've tried configuring SPNs:
setspn -L myserviceaccount
And indeed, SQL Server does register it correctly as per its logs:
However, the query
Am I missing something?
UPDATE:
I was successfully able to get the SQL Server to use "Kerberos" as per the above query, but I'm still having no luck getting the IIS level to work.
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: 192.168.x.x]This is from the "Application" log on the SQL server. I currently have a clustered setup (using Microsoft Failover Cluster) although the second node has not been configured yet. I've tried configuring SPNs:
setspn -L myserviceaccount
Registered ServicePrincipalNames for :
MSSQLSvc/*SQL.corp.*.local:1433
MSSQLSvc/*SQL.corp.*.localAnd indeed, SQL Server does register it correctly as per its logs:
Message
The SQL Server Network Interface library successfully registered the Service Principal Name (SPN) [ MSSQLSvc/my.sql.fqdn ] for the SQL Server service.
However, the query
SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@spid ; returns NTLM and not Kerberos. I've restarted the server a few times to no avail. SQL Server runs under a domain user account with the appropriate delegation privileges.Am I missing something?
UPDATE:
I was successfully able to get the SQL Server to use "Kerberos" as per the above query, but I'm still having no luck getting the IIS level to work.
Solution
This is known as the "double hop" issue between SQL Server and IIS. It looks like you may not have trusted the IIS server for delegation.
Here's a good checklist of things to do when setting up SQL Server with IIS using Kerberos.
Here's a great primer on the condition. The anonymous login is a give-away of the problem.
Here's a good checklist of things to do when setting up SQL Server with IIS using Kerberos.
Here's a great primer on the condition. The anonymous login is a give-away of the problem.
Context
StackExchange Database Administrators Q#52511, answer score: 5
Revisions (0)
No revisions yet.