NT AUTHORITY\ANONYMOUS LOGON. failed with error:

1
votes

I am setting up service broker between two servers. The environment I am implementing this does not have a domain.

The two SQL servers service run under "NETWORK SERVICE"

I am getting following error message

Service Broker login attempt by user 'NT AUTHORITY\ANONYMOUS LOGON.' failed with error: 'Connection handshake failed. The login 'NT AUTHORITY\ANONYMOUS LOGON' does not have CONNECT permission on the endpoint. State 84.'.

If I add NT AUTHORITY\ANONYMOUS LOGON to SQL server and grant the connect permission then everything works fine.

I am not sure granting the permission to NT AUTHORITY\ANONYMOUS LOGON is a good idea.

A little bit of Google research tells me, I need to configure SPN for Kerberos but I have no knowledge to do that.

Can you help, or direct me to a good article to refer please?

Configuration

SQL 2008 R2 and Windows 2008

2
sql-serverauthenticationdatabase-administrationservice-broker
Did you get this resolved?T-Heron

2 Answers

1
votes

I have come across this issue before also.

This guide got me through it. If you're not an AD admin you might need to get your server guys involved.

guide to fix double hop issue

1
votes

I am setting up service broker between two servers. The environment I am implementing this does not have a domain.

Then you should use Certificate based authentication instead of Windows:

CREATE ENDPOINT [broker]
    STATE = STARTED
    AS TCP (LISTENER_PORT = 4022)
    FOR SERVICE_BROKER (
        AUTHENTICATION = CERTIFICATE [MyCertName]);

The setup is quite complex, as it involves exchanging certificates between the hosts, creating logins and users to map to the other host and granting endpoint connectivity. And you'll then need to also do the dialog security layer. You can read here How does Certificate based Authentication work, and this blog explains step by step how to do it: A simple secure dialog with transport certificates.

Note that even though the error message is about anonymous logon, this is not a Kerberos 'double-hop' issue (better known as constrained delegation).