Best IT Recipes

Error logging into web application for user "NT AUTHORITY \ ANONYMOUS LOGON"

I see that many people get this error, but their situations are all slightly different from mine.

I have an ASP.NET 4.0 web application that runs on IIS 6.0 on a Windows 2003 server.

When I retire to the web server field and register there and access the site as localhost , and not by machine name, the web application works fine. However, when I access the website from another client computer, I get the following error:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'

The website has anonymous access enabled and Windows authentication enabled. The web application contains the following:

  <authentication mode="Windows"> </authentication> <identity impersonate="true"/> <connectionStrings> <add name="MyConnection" connectionString="Data Source=MyDbServer;Initial Catalog=MyDatabase;Integrated Security=True" </connectionStrings>

My web server runs on a virtual server. Is this relevant? I guess not.

Please note that if I add my domain \ username and password to the web config after Imersonation = TRUE, the site will work.

+16
iis-6
Jun 09 2018-12-12T00:
source share
3 answers

It seems that you are faced with what is called the โ€œdouble hopโ€ problem, where the server is not trusted to transfer client credentials to another block (hop 1 is the credentials in the IIS box, hop 2 is from the IIS window in SQL Server).

When you log in directly to the server, the second hop should not be performed, as it simply transfers the credentials directly from the client computer (IIS server in this scenario) directly to SQL Server. Similarly, if SQL Server lived in an IIS box, you would not have this error either, since the client could only make one query in a field that could transfer credentials from both IIS and SQL Server.

It takes several steps to get the delegation to work, for example, trust the servers for delegation, create an SPN, and ensure that other appropriate permissions are granted to the account that IIS uses to run the website. There is a technical article to help you complete the many necessary steps here: http://blogs.technet.com/b/taraj/archive/2009/01/29/checklist-for-double-hop-issues-iis-and-sql -server.aspx

Note: if you use NTLM and not Kerberos (or another delegated protocol), it will not work, since the middle server (IIS server) must have a token that can pass through. Since NTLM is negotiated, this will not work.

+25
Jun 15 '12 at 17:28
source share

The problem here is that you are using

 <authentication mode="Windows"> </authentication>

This requires your browser to send NTLM credentials. Firefox does not send this by default.

When you are on the server and using localhost, your browser sends your Windows login credentials to the server. This is authentication and granting access to user MyDomain \ MyID.

ASP.NET represents the token passed to it by IIS, which is either an authenticated user or an anonymous Internet user account (IUSR_machinename).

All your web requests that come from computers that are not in this domain will run under an anonymous account. In your case NT AUTHORITY\ANONYMOUS LOGON

The connection string is Integrated Security=True . This means that the Windows account under which the asp.net stream is processed must also have access to the database. If you want to transfer the Windows credentials used to log in to IIS, you need to set Trusted_Connection=Yes .

Refer: How to Access SQL Server Using Windows Embedded Security

I suggest you take a look at forms authentication if you plan to disclose this web service on the Internet or want to make it available to users who are not in the same domain as your server.

+5
Jun 11
source share

I found that the problem for me was that in IIS I turned on Windows authentication instead of basic authentication. As soon as I switched to Basic Authentication, I was able to access SQL Server under an account.

In IIS, only basic authentication logs users with a security token that flows over the network to a remote SQL server. By default, other IIS security modes used in conjunction with authentication configuration item settings will not produce a token that can authenticate to the remote SQL Server.

From: http://msdn.microsoft.com/en-us/library/bsz5788z.aspx

0
Sep 17
source share


More articles:


All Articles