Web application developed in Visual Studio 2005 is deployed on a Windows 2000 Server running IIS 5. This application utilizes a SQL Server 2000 database running on a separate Windows 2000 Server. This is an intranet application with the intent being to
allow access to authenticated members of an active directory group (myADGroup). First I will list relevant configuration settings then discuss the observed behavior...
SQL Server:
Security: SQL Server and Windows authentication.
myADGroup added to logins and granted access to desired database
Web server virtual directory is configured as follows:
If I browse to the web page from a client machine (logged in as a member of
myADGroup) I get the following error: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
If, however, I establish a remote desktop connection to the webserver from the same client machine and login to the webserver as the same user (a member of
myADGroup), the application behaves fine.
It is as if IIS uses the local ASPNET account when serving up a page from a remove client but uses the credentials of the current user when serving up pages requested locally.
Is there not a simple solution to using Windows Integrated security and active directory groups to control access when a web server and SQL server exist on separate machines on a network???
I'm experiencing the exact same behavior. After reading web pages for hours I'm using the same settings you are. If I remote into the server the application runs fine. If I try the application from the same client machine but run a local web browser the
database identifies me as "NT AUTHORITY\ANONYMOUS LOGON".
i know this is an older post but i was wondering if anyone ever found an answer? i want to keep the database on it's current server machine and have the web frontend on another server machine within the same network... just wondering if anyone ever figured
it out?
Man, it is good to know I'm not alone with this error. My settings are the same and the remoting in thing was just discovered today. The biggest headache for me is that this error only occurs about 10-15% of the time. Most of the time users don't have a problem.
When they do, it usually goes away after 5-10 minutes and a browser closing. There has to be an answer out there.
My coding time was diverted to solving this problem. It's a major headache in our team. I've been rummaging the internet for solutions and myriad of solutions I did get. So far no luck. Please update this thread if anyone got the solution.
In cases where this error arises when the IIS is on a different box to sql server, its usually fixed by changing the Active Directory record for the IIS server to say "trust this computer for delegation".
Basically NT domains don't let computers do multiple credential hops, one from browser to IIS, and one from IIS to Sql Server.
However I've just hit this problem at a client install and it doesnt seem to be that.
Has anyone been able to solve this issue. I also have my IIS on one machine and my SQL server on another machine (on another domain, but there is a trust). I also set trust this computer for delegation and rebooted the IIS server, but did not work. I'm not
sure if the sql server is on a domain with active directory, it may still be NT 4. Would this cause a problem?
I seem to have the same problem as everyone else..
I try to have the NT login of the user at the top of the page and to display data extracted from a SQL server in the body of the page. (from another server on the same network)
If the security settings of the application is set to Anonymous Access and Integrated Windows autentication, I can display the data but not the user's NT login.
If the security settings of the application is set to Integrated Windows autentication only, my page throws an error [..Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. ..]
DazedNConfus...
Member
5 Points
1 Post
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
Jul 27, 2006 08:49 PM|LINK
Web application developed in Visual Studio 2005 is deployed on a Windows 2000 Server running IIS 5. This application utilizes a SQL Server 2000 database running on a separate Windows 2000 Server. This is an intranet application with the intent being to allow access to authenticated members of an active directory group (myADGroup). First I will list relevant configuration settings then discuss the observed behavior...
SQL Server:
Security: SQL Server and Windows authentication.
myADGroup added to logins and granted access to desired database
Web server virtual directory is configured as follows:
Directory Security tab:
Anonymous access is DISABLED
Integrated windows authentication is ENABLED
ASP.NET tab:
Authorization:
Inherited authorization rules: Allow *
Local authorization rules: Deny ?
Authentication Mode: Windows
Membership Provider: AspNetWindowsTokenRoleProvider
Role Management: AspNetWindowsTokenRoleProvider
Web server folder containing the application has the following security permissions:
ASP.NET Machine Account: Read & Execute, List Folder Contents, Read, Write
myADGroup: Read & Execute, List Folder Contents, Read
Here is the connection string to the database (web.config)
<add name="myConnectionString" connectionString="Data Source=mySQLServer;Initial Catalog=myDB;Integrated Security=True" providerName="System.Data.SqlClient"/>
and the identity impersonate tag setting
<identity impersonate="true" />
Observed behavior:
If I browse to the web page from a client machine (logged in as a member of myADGroup) I get the following error: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
If, however, I establish a remote desktop connection to the webserver from the same client machine and login to the webserver as the same user (a member of myADGroup), the application behaves fine.
It is as if IIS uses the local ASPNET account when serving up a page from a remove client but uses the credentials of the current user when serving up pages requested locally.
Is there not a simple solution to using Windows Integrated security and active directory groups to control access when a web server and SQL server exist on separate machines on a network???
DarrellNorto...
All-Star
86795 Points
9644 Posts
Moderator
MVP
Re: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
Jul 27, 2006 11:38 PM|LINK
Try this article in particular:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000025.asp
And all of these:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/SecurityHowTosIndex.asp
Darrell Norton's Blog
Please click "Mark as Answer" if this helped you.
Bitwise
Member
5 Points
1 Post
Re: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
Aug 10, 2006 09:04 PM|LINK
I'm experiencing the exact same behavior. After reading web pages for hours I'm using the same settings you are. If I remote into the server the application runs fine. If I try the application from the same client machine but run a local web browser the database identifies me as "NT AUTHORITY\ANONYMOUS LOGON".
Were you able to find a solution?
Thanks,
Zack
WoFe
Member
86 Points
32 Posts
Re: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
Feb 16, 2007 04:07 PM|LINK
i know this is an older post but i was wondering if anyone ever found an answer? i want to keep the database on it's current server machine and have the web frontend on another server machine within the same network... just wondering if anyone ever figured it out?
jekent
Member
2 Points
3 Posts
Re: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
Apr 05, 2007 05:30 PM|LINK
swarm
Member
8 Points
15 Posts
Re: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
May 10, 2007 03:11 AM|LINK
Same here guys.
My coding time was diverted to solving this problem. It's a major headache in our team. I've been rummaging the internet for solutions and myriad of solutions I did get. So far no luck. Please update this thread if anyone got the solution.
plq
Member
18 Points
17 Posts
Re: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
Nov 16, 2007 08:35 AM|LINK
In cases where this error arises when the IIS is on a different box to sql server, its usually fixed by changing the Active Directory record for the IIS server to say "trust this computer for delegation".
Basically NT domains don't let computers do multiple credential hops, one from browser to IIS, and one from IIS to Sql Server.
However I've just hit this problem at a client install and it doesnt seem to be that.
julieandduan...
Member
3 Points
23 Posts
Re: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
Nov 20, 2007 05:53 PM|LINK
cgoasduff
Member
123 Points
131 Posts
Re: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
Apr 22, 2008 02:33 PM|LINK
Hi There
I seem to have the same problem as everyone else..
I try to have the NT login of the user at the top of the page and to display data extracted from a SQL server in the body of the page. (from another server on the same network)
If the security settings of the application is set to Anonymous Access and Integrated Windows autentication, I can display the data but not the user's NT login.
If the security settings of the application is set to Integrated Windows autentication only, my page throws an error [..Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. ..]
Is there no way to have both ??
Cheers
Chris
bkr
Member
6 Points
3 Posts
Re: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
Aug 25, 2008 04:10 AM|LINK
Your error -> [..Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. ..]
is due to SQL Server not having the login account for your windows login account.
You must be getting this error when your sql server db is on remote machine. Also your app. server (IIS) has Impersonate = true.
If you make IIS not impersontate and then create a log in account in your db server , with
domain_name\app_machine_name$
You won't get this error for some good reasons.
if you want your IIS server to impersonate , then this error will pop up on app. server machine, but remote client machine , it will all work out.
-gjb