Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post Nov 15, 2011 12:00 PM by sheryarnizar
Jul 27, 2006 08:49 PM|LINK
Web application developed in Visual Studio 2005 is deployed on a Windows 2000 Server running IIS 5. This application utilizes a SQL Server 2000 database running on a separate Windows 2000 Server. This is an intranet application with the intent being to
allow access to authenticated members of an active directory group (myADGroup). First I will list relevant configuration settings then discuss the observed behavior...
Security: SQL Server and Windows authentication.
myADGroup added to logins and granted access to desired database
Web server virtual directory is configured as follows:
Directory Security tab:
Anonymous access is DISABLED
Integrated windows authentication is ENABLED
Inherited authorization rules: Allow *
Local authorization rules: Deny ?
Authentication Mode: Windows
Membership Provider: AspNetWindowsTokenRoleProvider
Role Management: AspNetWindowsTokenRoleProvider
Web server folder containing the application has the following security permissions:
ASP.NET Machine Account: Read & Execute, List Folder Contents, Read, Write
myADGroup: Read & Execute, List Folder Contents, Read
Here is the connection string to the database (web.config)
<add name="myConnectionString" connectionString="Data Source=mySQLServer;Initial Catalog=myDB;Integrated Security=True" providerName="System.Data.SqlClient"/>
and the identity impersonate tag setting
<identity impersonate="true" />
If I browse to the web page from a client machine (logged in as a member of
myADGroup) I get the following error: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
If, however, I establish a remote desktop connection to the webserver from the same client machine and login to the webserver as the same user (a member of
myADGroup), the application behaves fine.
It is as if IIS uses the local ASPNET account when serving up a page from a remove client but uses the credentials of the current user when serving up pages requested locally.
Is there not a simple solution to using Windows Integrated security and active directory groups to control access when a web server and SQL server exist on separate machines on a network???
Jul 27, 2006 11:38 PM|LINK
Try this article in particular:
And all of these:
Aug 10, 2006 09:04 PM|LINK
I'm experiencing the exact same behavior. After reading web pages for hours I'm using the same settings you are. If I remote into the server the application runs fine. If I try the application from the same client machine but run a local web browser the
database identifies me as "NT AUTHORITY\ANONYMOUS LOGON".
Were you able to find a solution?
Feb 16, 2007 04:07 PM|LINK
i know this is an older post but i was wondering if anyone ever found an answer? i want to keep the database on it's current server machine and have the web frontend on another server machine within the same network... just wondering if anyone ever figured
Apr 05, 2007 05:30 PM|LINK
May 10, 2007 03:11 AM|LINK
Same here guys.
My coding time was diverted to solving this problem. It's a major headache in our team. I've been rummaging the internet for solutions and myriad of solutions I did get. So far no luck. Please update this thread if anyone got the solution.
Nov 16, 2007 08:35 AM|LINK
In cases where this error arises when the IIS is on a different box to sql server, its usually fixed by changing the Active Directory record for the IIS server to say "trust this computer for delegation".
Basically NT domains don't let computers do multiple credential hops, one from browser to IIS, and one from IIS to Sql Server.
However I've just hit this problem at a client install and it doesnt seem to be that.
Nov 20, 2007 05:53 PM|LINK
Apr 22, 2008 02:33 PM|LINK
I seem to have the same problem as everyone else..
I try to have the NT login of the user at the top of the page and to display data extracted from a SQL server in the body of the page. (from another server on the same network)
If the security settings of the application is set to Anonymous Access and Integrated Windows autentication, I can display the data but not the user's NT login.
If the security settings of the application is set to Integrated Windows autentication only, my page throws an error [..Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. ..]
Is there no way to have both ??
Aug 25, 2008 04:10 AM|LINK
Your error -> [..Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. ..]
is due to SQL Server not having the login account for your windows login account.
You must be getting this error when your sql server db is on remote machine. Also your app. server (IIS) has Impersonate = true.
If you make IIS not impersontate and then create a log in account in your db server , with
You won't get this error for some good reasons.
if you want your IIS server to impersonate , then this error will pop up on app. server machine, but remote client machine , it will all work out.