locked
Problem with IIS server to separate SQL server delegation: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. RRS feed

  • Question

  • User-1154514681 posted

    I have been googling around for hours and haven't been able to find a solution... many of the results I am getting are from when I was in high school lol.

    I have a C# asp.net (4.5.1) app hosted on a development system which is running windows server 2008r2 with sql server 2012.

    The application uses integrated security for auditing purposes. My connection string is specified in web.config:

    <add name="MYDB" connectionString="Data Source=MyServer;Initial Catalog=MyDatabase;Persist Security Info=True;Trusted_Connection=yes" providerName="System.Data.SqlClient" />

    In addition, I have configured:

        <identity impersonate="true" />

    and also have turned on Windows authentication and disabled all other authentication types in IIS Manager.

    The application pool hosting the app is running as Network Service.

    This works well. No problems in development environment.

    I am attempting to move the application to a production environment. I copied all the web.config and IIS settings to the production IIS server.

    Due to the size of the database, it is being hosted on a server which is separate from the web server. The production sql server box is running windows server 2012 and sql server 2012. services run as network service.

    I understand this creates a "double hop" problem. So, I went into Active Directory and I pulled up the IIS server, went to delegation tab, and selected "trust this computer for delegation to specified servers only" and selected "mssqlsvc" for both entries (the one with port 1433 and the one without a port).

    I am still receiving the "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'" error.

    I'm not sure where I'm going wrong, or what I'm missing. Did I miss a step?

    I turned on Kerberos logging by setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\LogLevel to 0x01, and I see in my system log:

    A Kerberos error message was received:
    on logon session MYDOMAIN\ADMINISTRATOR

    Client Time:

    Server Time: 18:53:53.0000 5/9/2016 Z

    Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED

    Extended Error:

    Client Realm:

    Client Name:

    Server Realm: MYDOMAIN

    Server Name: krbtgt/MYDOMAIN

    Target Name: krbtgt/MYDOMAIN@MYDOMAIN

    Error Text:

    File: e

    Line: d3f

    Error Data is in record data.


    Any feedback would be appreciated. Googling this error gives me thousands of hits, many dating back to earlier versions of SQL Server (2005, etc.) as far back as 2007, I cannot seem to find anything more recent or any definitive direction to take. I can't imagine this is an unusual configuration (separate sql and iis servers w/ integrated security) but can't seem to find a "how to" guide which works.

    Monday, May 9, 2016 6:58 PM

Answers

  • User-219423983 posted

    Hi Tentpig,<!--?xml:namespace prefix = "o" ns = "urn:schemas-microsoft-com:office:office" /--><o:p></o:p>

    As the error message code “0x19 KDC_ERR_PREAUTH_REQUIRED” shows, the client did not send pre-authorization, or did not send the appropriate type of pre-authorization, to receive a ticket. As usual, many Kerberos implementations will start off without preauthenticated data and only add it in a subsequent request when it sees this error. So, back to your issue, you could enable the “Do not require Kerberos preauthentication” option for that user account in Active directory users & computers -> <user> properties -> account”.<o:p></o:p>

    http://answers.microsoft.com/en-us/windows/forum/windows_7-security/error-code-0x19-kdcerrpreauthrequired/ed5fc1db-6a44-4b16-b6b6-5f55e07c9ca4?auth=1<o:p></o:p>

    Besides, the following links provide something about securely connecting to remote database server and you could have a look.<o:p></o:p>

    https://msdn.microsoft.com/en-us/library/bsz5788z.aspx?f=255&MSPPError=-2147217396<o:p></o:p>

    https://gilesey.wordpress.com/2013/05/11/allowing-iis-7-5-applications-to-communicate-to-sql-server-via-windows-authentication/<o:p></o:p>

    Best Regards, <o:p></o:p>

    Weibo Zhang<o:p></o:p>

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, May 10, 2016 5:49 AM
  • User-1154514681 posted

    Weibo Zhang,

    Thank you for the kind reply. After many hours of further investigation, I have resolved the issue.

    When I set my IIS server computer account up for delegation to the SQL server in Active Directory, I selected "Trust this computer for delegation to specified services only", left the default "use kerberos only" radio button checked, and then supplied my mssqlsvc entries via the "add" button.

    As it turns out, it was necessary to select the "use any authentication protocol" radio button rather than leave the default "use kerberos only" radio button checked.

    Unfortunately, in my wanderings on the Internet regarding the double-hop issue and resolving it, I did not come across this requirement.

    Once I changed the radio button and applied the changes, my application works as expected.

    Perhaps someone with greater technical knowledge can explain why this is necessary, since this issue is commonly referred to as the "double hop" problem and involves kerberos, I would have thought the default "use kerberos only" would suffice, but apparently some other authentication protocol is also being used behind the scenes.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, May 10, 2016 12:53 PM

All replies

  • User-219423983 posted

    Hi Tentpig,<!--?xml:namespace prefix = "o" ns = "urn:schemas-microsoft-com:office:office" /--><o:p></o:p>

    As the error message code “0x19 KDC_ERR_PREAUTH_REQUIRED” shows, the client did not send pre-authorization, or did not send the appropriate type of pre-authorization, to receive a ticket. As usual, many Kerberos implementations will start off without preauthenticated data and only add it in a subsequent request when it sees this error. So, back to your issue, you could enable the “Do not require Kerberos preauthentication” option for that user account in Active directory users & computers -> <user> properties -> account”.<o:p></o:p>

    http://answers.microsoft.com/en-us/windows/forum/windows_7-security/error-code-0x19-kdcerrpreauthrequired/ed5fc1db-6a44-4b16-b6b6-5f55e07c9ca4?auth=1<o:p></o:p>

    Besides, the following links provide something about securely connecting to remote database server and you could have a look.<o:p></o:p>

    https://msdn.microsoft.com/en-us/library/bsz5788z.aspx?f=255&MSPPError=-2147217396<o:p></o:p>

    https://gilesey.wordpress.com/2013/05/11/allowing-iis-7-5-applications-to-communicate-to-sql-server-via-windows-authentication/<o:p></o:p>

    Best Regards, <o:p></o:p>

    Weibo Zhang<o:p></o:p>

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, May 10, 2016 5:49 AM
  • User-1154514681 posted

    Weibo Zhang,

    Thank you for the kind reply. After many hours of further investigation, I have resolved the issue.

    When I set my IIS server computer account up for delegation to the SQL server in Active Directory, I selected "Trust this computer for delegation to specified services only", left the default "use kerberos only" radio button checked, and then supplied my mssqlsvc entries via the "add" button.

    As it turns out, it was necessary to select the "use any authentication protocol" radio button rather than leave the default "use kerberos only" radio button checked.

    Unfortunately, in my wanderings on the Internet regarding the double-hop issue and resolving it, I did not come across this requirement.

    Once I changed the radio button and applied the changes, my application works as expected.

    Perhaps someone with greater technical knowledge can explain why this is necessary, since this issue is commonly referred to as the "double hop" problem and involves kerberos, I would have thought the default "use kerberos only" would suffice, but apparently some other authentication protocol is also being used behind the scenes.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, May 10, 2016 12:53 PM