NT AUTHORITY\ANONYMOUS LOGON Error (Double Hop)

1
votes

BACKGROUND:

IIS is on One Server (7)

SQL is on another server

Active Directory is on another server (this may or may not make a difference but from what I have read it may)

We have a brand new MVC site that is using AD Permissions to grant access to the site and then to run the SP's within SQL

The site access is working correctly, but I am getting the error Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' which I believe means I have fallen fowl to the double hop issue.

Within IIS I have an App Pool of V4.0 Integrated and Application Pool Identity

within my Application I have settings of ASP.net Impersonation Enabled and Windows Authentication Enabled all else is Disabled

And within the Delegation settings of the SQL Server and the IIS Server I have set 'Trust this computer for delegation to any service (Kerberos only)'

also if I run the following statement within SQL

SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@SPID;

I get KERBEROS.

What am I missing? or doing wrong? Thanks

1
asp.netsql-serveriiskerberos
It's the IIS server that needs "Trust this computer for delegation". Have you confirmed that IIS is getting proper credentials (i.e. anonymous authentication is turned off)? There are a number of authentication help pages available online, such as ASP.NET Authentication test page, that might be able to help.Rhys Jones
In fairness Rhys, I am experienced in development, all the companies I have worked for in the past have had specialist server teams, so am not sure, I'll take a look at the link, thanks and see what more I can find out, I have read stacks of pages and believe everything to be set up correctly, but obviously something isn't I turned delegation on on the SQL server just to be on the safe side, but have plans to turn it off once everything is working.Noreen
I'm the same, my background is dev, networking very much a secondary thing. I've always managed to get my setups working in the past (not using SPNs though) but sometimes it's taken a lot longer than others to find the last magic setting to make it all work :) Google for DelegConfig which is another tool I've used in the past. Good luck!Rhys Jones
Rhys locally my users AuthType is Kerberous, but on the IIS server it is coming up NTLM when I display WindowsIdentity.GetCurrent().AuthenticationTypeNoreen
Which version of IIS?Rhys Jones

1 Answers

0
votes

There are number of things you may want to check, do you have SPN setup on the SQL Box, these can be added via the following command:

setspn -a "<SQL_SERVER_Server_Name>:1433" "<SQL_SERVER_Service_Account>"

You may want to add both the FQDN as well as the short name. Once this is complete you will need to restart the SQL Server, not just the service.

If this does not work, can you run the following commands:

setspn -l "<AppPool Account Name>"

and 

setspn -l "<SQL Server Account Name>"