locked
'IIS' & 'Kerberos' + SQL Login Failure for user 'NT AUTHORITY\ANONYMOUS LOGON' RRS feed

  • Question

  • Hi all,

    Have spent hours and hours trying to work out what is goin on with this issue and i still cant figure it out.

    Hopefully someone here will be able to help.

    A few details to start with...

    Win Server 2003 x64

    SQL Server 2008

    SQL RS 2008

     

    Server A

    SQL Server

    Reporting Services

     

    Server B

    Reporting Services

     

    Server B is scaled out and joined to reportserver DB of Server A.

    ASP on both servers. Some apps only run on server B

    Server B IIS workgroup ID is running under a domain account.

     

    Kerberos Authentication is enabled.

     

    I am showing intermittant errors in the RS logs stating that a connection cannot be made to a particular database, using login 'NT AUTHORITY\ANONYMOUS LOGON' even though anonymous logons are disabled in IIS.

     

    SQL Server logs state this error as....

    Date        19/05/2011 11:11:36
    Log        SQL Server (Current - 19/05/2011 11:11:00)

    Source        Logon

    Message
    Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: XX.XXX.X.XXX]

     

    The apps are open to 2 domains. Domain1 and Domain2. (The IIS account is on Domain1, and the errors are being raised for users on Domain2)

    SPN's have been set as follows

    Server A

    - MSSQLSVC/ServerA:port

    - MSSQLSVC/ServerA.Domain1.local:port

    - Delegation is enabled in AD

     

    Server B

    - HTTP/Server2:port

    - HTTP/Server2.Domain1.local:port

    - Delegation enabled in AD

     

    Also see errors from Server2 event log

     

    Event Type:    Error
    Event Source:    Kerberos
    Event Category:    None
    Event ID:    3
    Date:        19/05/2011
    Time:        11:43:23
    User:        N/A
    Computer:    Server B
    Description:
    A Kerberos Error Message was received:
             on logon session
     Client Time:
     Server Time: 10:43:24.0000 5/19/2011 Z
     Error Code: 0xd KDC_ERR_BADOPTION
     Extended Error: 0xc00000bb KLIN(0)
     Client Realm:
     Client Name:
     Server Realm: Domain1.LOCAL
     Server Name: host/ServerB.Domain1.local
     Target Name: host/ServerB.Domain1.local@Domain1.LOCAL
     Error Text:
     File: 9
     Line: b22
     Error Data is in record data.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 30 15 a1 03 02 01 03 a2   0.¡....¢
    0008: 0e 04 0c bb 00 00 c0 00   ...»..À.
    0010: 00 00 00 03 00 00 00      .......

     

    If you need any more info let me know

     

    Here's hoping someone can help.

     

    Andy

     

     


    Thursday, May 19, 2011 10:46 AM

Answers

All replies

  • Is the domain user account trusted for delegation?  Sounds like it could be a kerberos double hop issue...

    Thursday, May 19, 2011 11:48 AM
  • Please check

    http://social.technet.microsoft.com/Forums/en-US/sharepointadmin/thread/afbbef8e-a29e-4da9-a356-21f03c1ccb47/

    http://www.winvistatips.com/event-id-3-kerberos-t706580.html

    http://www.eventid.net/display.asp?eventid=3&eventno=3536&source=Kerberos&phase=1

     


    http://uk.linkedin.com/in/ramjaddu
    Thursday, May 19, 2011 11:49 AM
  • Hallo Andy,

    well - that IS a KERBEROS Issue.

    -What port did you use in the SPN?
    - is it an instance of SQL Server which is running on the server?

    Basically - if your server is running with an system account  - the spn will be set automatically.
    Than it is no problem to set the spn with the given PORT of each instance.

    Otherwise you have to take care about that your instances will get fixed ports or
    you allow the service account of the instance to set the spn.


    Uwe Ricken

    MCIT Database Administrator 2005
    MCIT Database Administrator 2008
    MCTS SQL Server 2005
    MCTS SQL Server 2008, Implementation and Maintenance
    db Berater GmbH
    http://www-db-berater.de
    Thursday, May 19, 2011 1:13 PM
  • Hi Uwe,

    Thanks for your time.

    We have used the fefault ports (1433) for SQL

     

    Do you have any theories as to why our App is authenticating for the majority of users, but not all of the time. We have a user base of around 900. We have tried to replicate an error without success. So this is not an isolated user case, its seems to be totally random.

     

    Andy

    Thursday, May 19, 2011 3:25 PM
  • Hallo Andy,

    I know about the hell of SPN. Maybe this link will help you to have checked all necessary settings. Especially a look to the reportserver.config may give the hint. The blog describes the KERBEROS constellation with SharePoint and ReportingServices but it's always the same constellation ;-)

    http://blogs.msdn.com/b/psssql/archive/2011/02/21/sharepoint-adventures-using-kerberos-with-the-report-server.aspx


    Uwe Ricken

    MCIT Database Administrator 2005
    MCIT Database Administrator 2008
    MCTS SQL Server 2005
    MCTS SQL Server 2008, Implementation and Maintenance
    db Berater GmbH
    http://www-db-berater.de
    • Marked as answer by Stephanie Lv Friday, May 27, 2011 8:55 AM
    Friday, May 20, 2011 6:31 AM