none
SQL Server falling back to NTLM- not using Kerberos

    Question

  • Hi,

    I am working on a "Double hop" scenario and following is the setup:

    1) ASP.net Website  running on IIS 6 - Windows server 2012 R2.

       a) This site uses service account to run application pool.

       b) SPN has been set on the service account.

    2) SQL server 2012

        a) running on LocalSystem account.

        b) SPN has been set on the account.

    When any user hits the website, it tries to open a connection to SQL. Here, we get "Login failed for user 'NT AUTHORITY\\ANONYMOUS LOGON'" error. Kerberos authentication has been set on website and I can see tickets using netmon. I checked authentication at SQL and it gives me 'Kerberos' but netmon shows that when website opens SQL connections, it uses NTLM. For some reason, SQL fallbacks to NTLM instead of using Kerberos.

    Few things that I have verified:

    1) SPNs are setup correctly.

    2) No duplicate SPNs exist.

    3) SQL logs show that SPN was registered successfully.

    4) SQL service delegation has been set on Website service account to MSSQLSVC/SQLServer.domain.com:1433.

    I am stuck with this for a long time now. Any help here would be appreciated.

    Monday, March 20, 2017 10:53 PM

All replies

  • Hi poojas,

     

    Which web browser did you use? In your scenario, I think you can check if you have enabled the Kerberos Authentication for the browser. Please check the kerberos tokens.

     

    Best Regards,

    Teige


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, March 21, 2017 6:14 AM
  • Thanks Teige,

    I am checking this on IE and FireFox and validated  that browsers support Kerberos. I can see the kerb tickets in netmon but SQL just falls back to NTLM.

    Weird thing that I noticed this morning was that it worked for sometime but then started giving 'ANONYMOUS LOGON' error. I am not sure if this is the expected behavior.

    Tuesday, March 21, 2017 8:09 PM