IIS 7.5 web application failing with NT AuthorityAnonymous Logon Announcing the arrival of...
Is there a verb for listening stealthily?
Why not use the yoke to control yaw, as well as pitch and roll?
How do you write "wild blueberries flavored"?
Statistical analysis applied to methods coming out of Machine Learning
What is the proper term for etching or digging of wall to hide conduit of cables
Pointing to problems without suggesting solutions
Russian equivalents of おしゃれは足元から (Every good outfit starts with the shoes)
Is the time—manner—place ordering of adverbials an oversimplification?
latest version of QGIS fails to edit attribute table of GeoJSON file
How to resize main filesystem
Determine whether an integer is a palindrome
What is "Lambda" in Heston's original paper on stochastic volatility models?
How do I say "this must not happen"?
Can the Haste spell grant both a Beast Master ranger and their animal companion extra attacks?
How does the body cool itself in a stillsuit?
What is a more techy Technical Writer job title that isn't cutesy or confusing?
Weaponising the Grasp-at-a-Distance spell
Random body shuffle every night—can we still function?
French equivalents of おしゃれは足元から (Every good outfit starts with the shoes)
.bashrc alias for a command with fixed second parameter
How to achieve cat-like agility?
Vertical ranges of Column Plots in 12
Did any compiler fully use 80-bit floating point?
Keep at all times, the minus sign above aligned with minus sign below
IIS 7.5 web application failing with NT AuthorityAnonymous Logon
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)
Come Celebrate our 10 Year Anniversary!“NT AUTHORITYANONYMOUS LOGON” error in Windows 7 (ASP.NET & Web Service)ApplicationPoolIdentity IIS 7.5 to SQL Server 2008 R2 not workingIIS 7.5 Basic AuthenticationRisks of Kerberos DelegationKerberos authentication failing with 401Configuring IIS application pool to access SQL Filestream with ApplicationPoolIdentityIIS 7.5 with Windows authentication - intermittent error 400 on POSTDoes FTP service (IIS 7.5) on Windows 2008 R2 support kerberos authentication?Login failed for user 'NT AUTHORITYANONYMOUS LOGON' and kerberos delegationIIS and SQL Server Windows authentication in a django application
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I am finding various google results, but none seem to fix my problem.
I am setting up a new WINDOWS 2008 R2 box at work that is to communicate with an existing SQL 2012 box via web tools running in IIS 7.5 within our intranet. We are to use windows authentication through out - IE -> Web Server -> SQL. We are using Kerberos. When viewing the tool locally on the web server, everything is fine, but once I try to view it on a remote client, I get the "Login failed for user 'NT AUTHORITYANONYMOUS LOGON'" error.
Let me break down how we have the web site -
Application pool running .NET 2.0 in classic mode with an identity of ApplicationPoolIdentity
Windows authentication is enabled with Extended Protection set to Off, Enable Kernel-mode authentication is checked, and the enabled Providers are (in order) Negotiate and NTLM. ASP.NET Impersonation is enabled set to impersonate as the authenticated user.
SQL Connection String in the following format:
Data Source=THESQLBOXNAME;Initial Catalog=DATABASENAME;Integrated Security=True
I have a test page which I have placed on the web server (following the above mentioned settings) that displays the following data:
HttpContext.Current.User.Identity.IsAuthenticated is true
HttpContext.Current.User.Identity.Name is the expected user (user launching the browser)
System.Security.Principal.WindowsIdentity.GetCurrent.Name is the expected user
I attempt a basic sql query to the sql box and get the login error mentioned above.
I have checked AD and verified that the web box has delegation set - "Trust this computer for delegation to specified services only / Use Kerberos only"
I have run this test page on an existing WINDOWS 2008 R2 box running IIS 7.5 (with same above mentioned settings) and I get no error whatsoever.
I have checked the SPN settings for both web boxes and they are the same (with the exception of the machine's name):
setspn -L EXISTINGBOX
WSMAN/EXISTINGBOX.domain.com
WSMAN/EXISTINGBOX
TERMSRV/EXISTINGBOX.domain.com
TERMSRV/EXISTINGBOX
HOST/EXISTINGBOX.domain.com
HOST/EXISTINGBOX
RestrictedKrbHost/EXISTINGBOX.domain.com
RestrictedKrbHost/EXISTINGBOX
setspn -L NEWBOX
WSMAN/NEWBOX.domain.com
WSMAN/NEWBOX
TERMSRV/NEWBOX.domain.com
TERMSRV/NEWBOX
HOST/NEWBOX.domain.com
HOST/NEWBOX
RestrictedKrbHost/NEWBOX.domain.com
RestrictedKrbHost/NEWBOX
I realize that it is acting like the double-hop problem, but the fact that it works on another box, makes me think it is something specific with the new web box. What the heck am I missing?????
sql-server iis-7.5 kerberos windows-authentication application-pools
asked Dec 3 '14 at 19:59
Dan AppleyardDan Appleyard
243210
bumped to the homepage by Community♦ 4 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I am finding various google results, but none seem to fix my problem.
I am setting up a new WINDOWS 2008 R2 box at work that is to communicate with an existing SQL 2012 box via web tools running in IIS 7.5 within our intranet. We are to use windows authentication through out - IE -> Web Server -> SQL. We are using Kerberos. When viewing the tool locally on the web server, everything is fine, but once I try to view it on a remote client, I get the "Login failed for user 'NT AUTHORITYANONYMOUS LOGON'" error.
Let me break down how we have the web site -
Application pool running .NET 2.0 in classic mode with an identity of ApplicationPoolIdentity
Windows authentication is enabled with Extended Protection set to Off, Enable Kernel-mode authentication is checked, and the enabled Providers are (in order) Negotiate and NTLM. ASP.NET Impersonation is enabled set to impersonate as the authenticated user.
SQL Connection String in the following format:
Data Source=THESQLBOXNAME;Initial Catalog=DATABASENAME;Integrated Security=True
I have a test page which I have placed on the web server (following the above mentioned settings) that displays the following data:
HttpContext.Current.User.Identity.IsAuthenticated is true
HttpContext.Current.User.Identity.Name is the expected user (user launching the browser)
System.Security.Principal.WindowsIdentity.GetCurrent.Name is the expected user
I attempt a basic sql query to the sql box and get the login error mentioned above.
I have checked AD and verified that the web box has delegation set - "Trust this computer for delegation to specified services only / Use Kerberos only"
I have run this test page on an existing WINDOWS 2008 R2 box running IIS 7.5 (with same above mentioned settings) and I get no error whatsoever.
I have checked the SPN settings for both web boxes and they are the same (with the exception of the machine's name):
setspn -L EXISTINGBOX
WSMAN/EXISTINGBOX.domain.com
WSMAN/EXISTINGBOX
TERMSRV/EXISTINGBOX.domain.com
TERMSRV/EXISTINGBOX
HOST/EXISTINGBOX.domain.com
HOST/EXISTINGBOX
RestrictedKrbHost/EXISTINGBOX.domain.com
RestrictedKrbHost/EXISTINGBOX
setspn -L NEWBOX
WSMAN/NEWBOX.domain.com
WSMAN/NEWBOX
TERMSRV/NEWBOX.domain.com
TERMSRV/NEWBOX
HOST/NEWBOX.domain.com
HOST/NEWBOX
RestrictedKrbHost/NEWBOX.domain.com
RestrictedKrbHost/NEWBOX
I realize that it is acting like the double-hop problem, but the fact that it works on another box, makes me think it is something specific with the new web box. What the heck am I missing?????
sql-server iis-7.5 kerberos windows-authentication application-pools
asked Dec 3 '14 at 19:59
Dan AppleyardDan Appleyard
243210
bumped to the homepage by Community♦ 4 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I am finding various google results, but none seem to fix my problem.
I am setting up a new WINDOWS 2008 R2 box at work that is to communicate with an existing SQL 2012 box via web tools running in IIS 7.5 within our intranet. We are to use windows authentication through out - IE -> Web Server -> SQL. We are using Kerberos. When viewing the tool locally on the web server, everything is fine, but once I try to view it on a remote client, I get the "Login failed for user 'NT AUTHORITYANONYMOUS LOGON'" error.
Let me break down how we have the web site -
Application pool running .NET 2.0 in classic mode with an identity of ApplicationPoolIdentity
Windows authentication is enabled with Extended Protection set to Off, Enable Kernel-mode authentication is checked, and the enabled Providers are (in order) Negotiate and NTLM. ASP.NET Impersonation is enabled set to impersonate as the authenticated user.
SQL Connection String in the following format:
Data Source=THESQLBOXNAME;Initial Catalog=DATABASENAME;Integrated Security=True
I have a test page which I have placed on the web server (following the above mentioned settings) that displays the following data:
HttpContext.Current.User.Identity.IsAuthenticated is true
HttpContext.Current.User.Identity.Name is the expected user (user launching the browser)
System.Security.Principal.WindowsIdentity.GetCurrent.Name is the expected user
I attempt a basic sql query to the sql box and get the login error mentioned above.
I have checked AD and verified that the web box has delegation set - "Trust this computer for delegation to specified services only / Use Kerberos only"
I have run this test page on an existing WINDOWS 2008 R2 box running IIS 7.5 (with same above mentioned settings) and I get no error whatsoever.
I have checked the SPN settings for both web boxes and they are the same (with the exception of the machine's name):
setspn -L EXISTINGBOX
WSMAN/EXISTINGBOX.domain.com
WSMAN/EXISTINGBOX
TERMSRV/EXISTINGBOX.domain.com
TERMSRV/EXISTINGBOX
HOST/EXISTINGBOX.domain.com
HOST/EXISTINGBOX
RestrictedKrbHost/EXISTINGBOX.domain.com
RestrictedKrbHost/EXISTINGBOX
setspn -L NEWBOX
WSMAN/NEWBOX.domain.com
WSMAN/NEWBOX
TERMSRV/NEWBOX.domain.com
TERMSRV/NEWBOX
HOST/NEWBOX.domain.com
HOST/NEWBOX
RestrictedKrbHost/NEWBOX.domain.com
RestrictedKrbHost/NEWBOX
I realize that it is acting like the double-hop problem, but the fact that it works on another box, makes me think it is something specific with the new web box. What the heck am I missing?????
sql-server iis-7.5 kerberos windows-authentication application-pools
asked Dec 3 '14 at 19:59
Dan AppleyardDan Appleyard
243210
I am finding various google results, but none seem to fix my problem.
I am setting up a new WINDOWS 2008 R2 box at work that is to communicate with an existing SQL 2012 box via web tools running in IIS 7.5 within our intranet. We are to use windows authentication through out - IE -> Web Server -> SQL. We are using Kerberos. When viewing the tool locally on the web server, everything is fine, but once I try to view it on a remote client, I get the "Login failed for user 'NT AUTHORITYANONYMOUS LOGON'" error.
Let me break down how we have the web site -
Application pool running .NET 2.0 in classic mode with an identity of ApplicationPoolIdentity
Windows authentication is enabled with Extended Protection set to Off, Enable Kernel-mode authentication is checked, and the enabled Providers are (in order) Negotiate and NTLM. ASP.NET Impersonation is enabled set to impersonate as the authenticated user.
SQL Connection String in the following format:
Data Source=THESQLBOXNAME;Initial Catalog=DATABASENAME;Integrated Security=True
I have a test page which I have placed on the web server (following the above mentioned settings) that displays the following data:
HttpContext.Current.User.Identity.IsAuthenticated is true
HttpContext.Current.User.Identity.Name is the expected user (user launching the browser)
System.Security.Principal.WindowsIdentity.GetCurrent.Name is the expected user
I attempt a basic sql query to the sql box and get the login error mentioned above.
I have checked AD and verified that the web box has delegation set - "Trust this computer for delegation to specified services only / Use Kerberos only"
I have run this test page on an existing WINDOWS 2008 R2 box running IIS 7.5 (with same above mentioned settings) and I get no error whatsoever.
I have checked the SPN settings for both web boxes and they are the same (with the exception of the machine's name):
setspn -L EXISTINGBOX
WSMAN/EXISTINGBOX.domain.com
WSMAN/EXISTINGBOX
TERMSRV/EXISTINGBOX.domain.com
TERMSRV/EXISTINGBOX
HOST/EXISTINGBOX.domain.com
HOST/EXISTINGBOX
RestrictedKrbHost/EXISTINGBOX.domain.com
RestrictedKrbHost/EXISTINGBOX
setspn -L NEWBOX
WSMAN/NEWBOX.domain.com
WSMAN/NEWBOX
TERMSRV/NEWBOX.domain.com
TERMSRV/NEWBOX
HOST/NEWBOX.domain.com
HOST/NEWBOX
RestrictedKrbHost/NEWBOX.domain.com
RestrictedKrbHost/NEWBOX
I realize that it is acting like the double-hop problem, but the fact that it works on another box, makes me think it is something specific with the new web box. What the heck am I missing?????
sql-server iis-7.5 kerberos windows-authentication application-pools
sql-server iis-7.5 kerberos windows-authentication application-pools
asked Dec 3 '14 at 19:59
Dan AppleyardDan Appleyard
243210
asked Dec 3 '14 at 19:59
Dan AppleyardDan Appleyard
243210
asked Dec 3 '14 at 19:59
Dan AppleyardDan Appleyard
243210
asked Dec 3 '14 at 19:59
Dan AppleyardDan Appleyard
243210
asked Dec 3 '14 at 19:59
Dan AppleyardDan Appleyard
243210
243210
bumped to the homepage by Community♦ 4 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 4 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
The last two things I can think of is to check of you have the MSSQLSvc SPNs registered under the SQL server service account registered (which you may have already since you have a working scenario). Just in case:
- MSSQLSvcNetBIOS
- MSSQLSvcNetBIOS:1433
- MSSQLSvcFQDN.domain.com
- MSSQLSvcFQDN.domain.com:1433
If that is done, then going back to the AD tab where you have the trust option, add the SQL server account as one of the allowed service. If sone correctly, you should see the MSSQLSvc* in the list.
If the above methods do not work, then you'll have to maybe enable Keberos tracing or use a network trace to find Kerberos errors.
answered Apr 3 '16 at 15:17
milopemilope
42125
add a comment |
Check whether the non-working IIS server has "trust computer for delegation" set: http://blogs.technet.com/b/taraj/archive/2009/01/29/checklist-for-double-hop-issues-iis-and-sql-server.aspx
answered Dec 6 '14 at 15:12
MaryMary
535510
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f648946%2fiis-7-5-web-application-failing-with-nt-authority-anonymous-logon%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
The last two things I can think of is to check of you have the MSSQLSvc SPNs registered under the SQL server service account registered (which you may have already since you have a working scenario). Just in case:
- MSSQLSvcNetBIOS
- MSSQLSvcNetBIOS:1433
- MSSQLSvcFQDN.domain.com
- MSSQLSvcFQDN.domain.com:1433
If that is done, then going back to the AD tab where you have the trust option, add the SQL server account as one of the allowed service. If sone correctly, you should see the MSSQLSvc* in the list.
If the above methods do not work, then you'll have to maybe enable Keberos tracing or use a network trace to find Kerberos errors.
answered Apr 3 '16 at 15:17
milopemilope
42125
add a comment |
The last two things I can think of is to check of you have the MSSQLSvc SPNs registered under the SQL server service account registered (which you may have already since you have a working scenario). Just in case:
- MSSQLSvcNetBIOS
- MSSQLSvcNetBIOS:1433
- MSSQLSvcFQDN.domain.com
- MSSQLSvcFQDN.domain.com:1433
If that is done, then going back to the AD tab where you have the trust option, add the SQL server account as one of the allowed service. If sone correctly, you should see the MSSQLSvc* in the list.
If the above methods do not work, then you'll have to maybe enable Keberos tracing or use a network trace to find Kerberos errors.
answered Apr 3 '16 at 15:17
milopemilope
42125
add a comment |
The last two things I can think of is to check of you have the MSSQLSvc SPNs registered under the SQL server service account registered (which you may have already since you have a working scenario). Just in case:
- MSSQLSvcNetBIOS
- MSSQLSvcNetBIOS:1433
- MSSQLSvcFQDN.domain.com
- MSSQLSvcFQDN.domain.com:1433
If that is done, then going back to the AD tab where you have the trust option, add the SQL server account as one of the allowed service. If sone correctly, you should see the MSSQLSvc* in the list.
If the above methods do not work, then you'll have to maybe enable Keberos tracing or use a network trace to find Kerberos errors.
answered Apr 3 '16 at 15:17
milopemilope
42125
The last two things I can think of is to check of you have the MSSQLSvc SPNs registered under the SQL server service account registered (which you may have already since you have a working scenario). Just in case:
- MSSQLSvcNetBIOS
- MSSQLSvcNetBIOS:1433
- MSSQLSvcFQDN.domain.com
- MSSQLSvcFQDN.domain.com:1433
If that is done, then going back to the AD tab where you have the trust option, add the SQL server account as one of the allowed service. If sone correctly, you should see the MSSQLSvc* in the list.
If the above methods do not work, then you'll have to maybe enable Keberos tracing or use a network trace to find Kerberos errors.
answered Apr 3 '16 at 15:17
milopemilope
42125
answered Apr 3 '16 at 15:17
milopemilope
42125
answered Apr 3 '16 at 15:17
milopemilope
42125
answered Apr 3 '16 at 15:17
milopemilope
42125
42125
add a comment |
add a comment |
Check whether the non-working IIS server has "trust computer for delegation" set: http://blogs.technet.com/b/taraj/archive/2009/01/29/checklist-for-double-hop-issues-iis-and-sql-server.aspx
answered Dec 6 '14 at 15:12
MaryMary
535510
add a comment |
Check whether the non-working IIS server has "trust computer for delegation" set: http://blogs.technet.com/b/taraj/archive/2009/01/29/checklist-for-double-hop-issues-iis-and-sql-server.aspx
answered Dec 6 '14 at 15:12
MaryMary
535510
add a comment |
Check whether the non-working IIS server has "trust computer for delegation" set: http://blogs.technet.com/b/taraj/archive/2009/01/29/checklist-for-double-hop-issues-iis-and-sql-server.aspx
answered Dec 6 '14 at 15:12
MaryMary
535510
Check whether the non-working IIS server has "trust computer for delegation" set: http://blogs.technet.com/b/taraj/archive/2009/01/29/checklist-for-double-hop-issues-iis-and-sql-server.aspx
answered Dec 6 '14 at 15:12
MaryMary
535510
answered Dec 6 '14 at 15:12
MaryMary
535510
answered Dec 6 '14 at 15:12
MaryMary
535510
answered Dec 6 '14 at 15:12
MaryMary
535510
535510
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f648946%2fiis-7-5-web-application-failing-with-nt-authority-anonymous-logon%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
