locked
What is causing these Login failed for ANONYMOUS LOGON errors? RRS feed

  • Question

  • I have a SQL 2005 SP3 cluster running on Veritas Cluster Server (Storage Foundation HA 5.1 SP1).

    The cluster has 2 nodes and is configured with 2 SQL Instances running on seperate virtual servers.

    The only SQL services installed on each instance/server is Database Services, each instance has the following SQL Services - SQL SERVER (instancename ), SQL Server FullText Search (instancename ) and SQL Server Agent (instancename ).

    We are seeing seemingly random occurances of the error below in the logs for each instance, the client ipaddress specified is that of the alternate cluster node (i.e the server not running the instance):

    Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. [CLIENT: ipaddress ]

    This error is preceeded by Error: 18456, Severity: 14, State: 11

    These errors are appearing in the logs for both instances.

    Having read several articles/discussions regarding this error I see it is commonly related to kerberos/IIS/Reporting services and such, however we are not using any of these services, furthermore the instances are currently empty - hosting nothing but the default system databases.

    For both instances all SQL services are running as a named domain user account, there are no SQL processes running as SYSTEM users.

    Can anyone give any indication as to how this can be further troubleshooted?  Or any explainataion as to what could be causing these errors?  It is as if there is a process on the alternate (passive) node which is attempting to access the instance - question is what?

    There is no sign of any error/failures following these events but I would obviously like to eradicate them before putting these servers live!

    Thanks in advance,

    Phil

     

    Thursday, November 25, 2010 12:26 PM

Answers

  • Hi,

    Is there anything else (warnings, errors) in the Application Event logs for either node at the same time?

    Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. [CLIENT: ipaddress ] is typically tied to a scenario, where the application (could be Agent or any other application) tries to connect over NTLM and fails to connect. Here is a blog explaining the scenarios:
    http://blogs.msdn.com/sql_protocols/archive/2006/12/02/understanding-kerberos-and-ntlm-authentication-in-sql-server-connections.aspx
    III. When are Kerbers and NTLM applied when connect to SQL Server 2005.
    Under condition that you are using Integrated Security or trusted connection which use windows authentication.
    1) Kerberos is used when making remote connection over TCP/IP if SPN presents.
    2) Kerberos is used when making local tcp connection on XP if SPN presents.
    3) NTLM is used when making local connection on WIN 2K3.

    Now let’s look at the other section where we get the error message:
    [1]  "Login Failed for user 'NT Authority\ANONYMOUS' LOGON"
    In this scenario, client make tcp connection, and it is most likely running under LocalSystem account, and there is no SPN registered for SQL instance, hence, NTLM is used, however, LocalSystem account inherits from System Context instead of a true user-based context, thus, failed as 'ANONYMOUS LOGON'. See http://support.microsoft.com/kb/132679.

    So, essentially, any process from other node is trying to connect over kerberos, did not find the SPN for SQL instance (typically or for some other reason), so did fallback on NTLM but the other server is denying NTLM connection.

    We typically fix the issue, by creating an SPN for the SQL Server Service Account manually for the SQL instances or let SQL Server Service Account create its own SPN.

    Please refer to the following KB for further information.
    How to configure the SQL Server service to create SPNs dynamically for the SQL Server instances
    http://support.microsoft.com/kb/811889

    Hope this helps.

    Thanks,

    Cathy Miller

    Microsoft Online Community Support

    Tuesday, November 30, 2010 4:33 PM

All replies

  • Is that possible that linked server tries to connect to?Have you identified  from what IP Address is trying to connect?
    Best Regards, Uri Dimant SQL Server MVP http://dimantdatabasesolutions.blogspot.com/ http://sqlblog.com/blogs/uri_dimant/
    Thursday, November 25, 2010 12:36 PM
  • Thank you for the reply,

    As detailed above the source IP address is that of the alternate cluster node (i.e the instance running on server1 logs the error against the client ip for server2, and the instance running on server2 receives the error from the client IP for server1).

    We are not using linked servers.

    Thanks.

    Thursday, November 25, 2010 1:04 PM
  • What if  you stop FullText Search  service , still see the error?


    Best Regards, Uri Dimant SQL Server MVP http://dimantdatabasesolutions.blogspot.com/ http://sqlblog.com/blogs/uri_dimant/
    Thursday, November 25, 2010 1:58 PM
  • Check if any other services that are connecting to your SQL server has the startup account as "NT AUTHORITY\ANONYMOUS LOGON". Once you figure out that service then change the logon account to some other account which has access to the database server.

    Check this link as well for a similar kind of issue.

    http://sanssql.blogspot.com/2010/06/sev-14-errors-login-failed-for-user-nt.html


    Regards,

    Sandesh Segu

    http://www.SansSQL.com

    SansSQL

    ↑ Grab this Headline Animator

    Thursday, November 25, 2010 2:04 PM
  • Thanks for the replies,

    All the SQL services (including full text search) are running as a domain user account which is a sysadmin on both instances,  so that would count out a SQL service as the source of the error - I presume?

    I plan to fail over both instances to the same host and leave this overnight and see if the errors reoccur from the other node, as this node will not have any SQL services running this should confirm if the source is SQL related or not.

    Will also look in to running SQL profiler against this, however as these errors appear to be random (i.e I cannot find an event/action which triggers them) I guess I will need to leave this running overnight...

    If anyone has any other suggestions/thoughts...

     

    cheers

     

     

    Thursday, November 25, 2010 3:14 PM
  • Hi,

    Is there anything else (warnings, errors) in the Application Event logs for either node at the same time?

    Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. [CLIENT: ipaddress ] is typically tied to a scenario, where the application (could be Agent or any other application) tries to connect over NTLM and fails to connect. Here is a blog explaining the scenarios:
    http://blogs.msdn.com/sql_protocols/archive/2006/12/02/understanding-kerberos-and-ntlm-authentication-in-sql-server-connections.aspx
    III. When are Kerbers and NTLM applied when connect to SQL Server 2005.
    Under condition that you are using Integrated Security or trusted connection which use windows authentication.
    1) Kerberos is used when making remote connection over TCP/IP if SPN presents.
    2) Kerberos is used when making local tcp connection on XP if SPN presents.
    3) NTLM is used when making local connection on WIN 2K3.

    Now let’s look at the other section where we get the error message:
    [1]  "Login Failed for user 'NT Authority\ANONYMOUS' LOGON"
    In this scenario, client make tcp connection, and it is most likely running under LocalSystem account, and there is no SPN registered for SQL instance, hence, NTLM is used, however, LocalSystem account inherits from System Context instead of a true user-based context, thus, failed as 'ANONYMOUS LOGON'. See http://support.microsoft.com/kb/132679.

    So, essentially, any process from other node is trying to connect over kerberos, did not find the SPN for SQL instance (typically or for some other reason), so did fallback on NTLM but the other server is denying NTLM connection.

    We typically fix the issue, by creating an SPN for the SQL Server Service Account manually for the SQL instances or let SQL Server Service Account create its own SPN.

    Please refer to the following KB for further information.
    How to configure the SQL Server service to create SPNs dynamically for the SQL Server instances
    http://support.microsoft.com/kb/811889

    Hope this helps.

    Thanks,

    Cathy Miller

    Microsoft Online Community Support

    Tuesday, November 30, 2010 4:33 PM