Hello all -
I'm trying to connect to a Sql Server 2005 database from my local development machine, which is running IIS 5.1 (Windows XP Pro). The web application is not using impersonation and has anonymous access enabled. In my system's machine.config file, I've set the processModel section to look like:
<processModel userName="System" password="AutoGenerate" />
This has been working fine for us connecting to SQL Server 2000 databases (running on Windows 2003). When we connect, I access Sql 2000 databases under the context of "OurDomain\MyMachineName$". However, we've recently installed Sql Server 2005 on a new Windows 2003 server & when I connect to that server, I receive the error:
System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
when trying to call the SqlConnection.Open() method. Our connection string is very basic:
Data Source=sql-dev2; Initial Catalog=TestDatabase; Integrated Security=True; Application Name=PrototypeWebservice;
In the Sql Server logins, we've granted the computer account "OurDomain\MyMachineName$" db_owner access to every database (in both Sql Server 2000 & 2005).
I am able to connect to the Sql Server 2005 databases if I change my section in machine.config to <processModel userName="OurDomina\myPersonalAccount" password="myPersonalPwd"/>, or if I move the application to an IIS6 server & set the application pool identity to NETWORK SERVICE, but we'd like to continue accessing our Sql Server 2005 databases (from our development machines running IIS5.1) as we currently access our Sql Server 2000 databases; under the context of "OurDomain\MyMachineName$".
Would anyone have any ideas why this would be happening or how to resolve? Thanks in advance.
Please check this blog: http://blogs.msdn.com/sql_protocols/archive/2006/12/02/understanding-kerberos-and-ntlm-authentication-in-sql-server-connections.aspx
.....
[1] "Login Failed for user 'NT Authority\ANONYMOUS' LOGON"
In this scenario, client make tcp connection, and it is most likely running under LocalSystem account, and there is no SPN registered for SQL instance, hence, NTLM is used, however, LocalSystem account inherits from System Context instead of a true user-based context, thus, failed as 'ANONYMOUS LOGON'. See http://support.microsoft.com/kb/132679.
The workaround here is
a. ask your domain administrator to manually register SPN if your SQL Server running under a domain user account.
b. use NP connection.
c. change your sql server to run under either localsystem account or networkservice account.
|||
That was the ticket!!! Thank you very much.
For future reference, the problem we ran into was that we had multiple active directory accounts registered with the same SPN. One entry was registered under the computer account sql server was running on & the other was the user account the sql server service was running under. We detected this by looking into the System event log on the domains PDC (the entry was EventID 11, Source KDC. Exact steps we followed were those suggested by other users on the thread: http://www.eventid.net/display.asp?eventid=11&eventno=569&source=KDC&phase=1). After removing the entry for the computer account, kerberos authentication succeeded.
Thanks again!
|||Thanks for the feedback.
No comments:
Post a Comment