HiveBrain v1.2.0
Get Started
← Back to all entries
patternMinor

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Token-based server access validation failed

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
logonanonymoususerloginauthorityvalidationtokenreasonforfailed

Problem

As the title states, I'm getting the following error when attempting to use a ASP.NET webapp:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: 192.168.x.x]

This is from the "Application" log on the SQL server. I currently have a clustered setup (using Microsoft Failover Cluster) although the second node has not been configured yet. I've tried configuring SPNs:

setspn -L myserviceaccount

Registered ServicePrincipalNames for :
        MSSQLSvc/*SQL.corp.*.local:1433
        MSSQLSvc/*SQL.corp.*.local


And indeed, SQL Server does register it correctly as per its logs:

Message
The SQL Server Network Interface library successfully registered the Service Principal Name (SPN) [ MSSQLSvc/my.sql.fqdn ] for the SQL Server service.


However, the query SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@spid ; returns NTLM and not Kerberos. I've restarted the server a few times to no avail. SQL Server runs under a domain user account with the appropriate delegation privileges.

Am I missing something?

UPDATE:

I was successfully able to get the SQL Server to use "Kerberos" as per the above query, but I'm still having no luck getting the IIS level to work.

Solution

This is known as the "double hop" issue between SQL Server and IIS. It looks like you may not have trusted the IIS server for delegation.

Here's a good checklist of things to do when setting up SQL Server with IIS using Kerberos.

Here's a great primer on the condition. The anonymous login is a give-away of the problem.

Context

StackExchange Database Administrators Q#52511, answer score: 5

Revisions (0)

No revisions yet.