RE: Random NT Authority/Anonymous Login Errors - REALLY NEED HELP.

Discussion in 'ASP .Net' started by Steven Cheng[MSFT], Dec 8, 2006.

  1. Hello Jay,

    From your description, you have some ASP.NET WEB applications hosted on IIS
    6 and these ASP.NE application will use delegate to access the backend SQL
    Server(2000) under the user from frontend browser. However, you found the
    ASP.NET application randomly receive 'NT AUTHORITY\ANONYMOUS LOGON' error,
    correct?

    Regarding on this issue, I've performed some research and did found some
    similar issues in the former cases. However, most of them are caused by
    some configuration issue. For example, the SQL Server is configured to use
    a different network port and that network port hasn't be registered for its
    SPN. However, this should result a expected error rather than randomly
    occured. I've also found some records about the problem when connecting to
    SQL Server(through secured kerberos authentication) failed under TCP/IP
    connection, it indicate that due to the TCP IP port assigned randonly at
    client, it may make the kerberos authentication failes sometimes. I'm not
    sure whether may be the case you meet, however, if possible, I suggest you
    try turning off TCP/IP and use namedpipe protocol for test to see whether
    it will suffer such issue.

    In addition, you can check the eventlog on both the ASP.NET server and SQL
    server backend server to see whether there is any entry could provide some
    clues.



    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead



    ==================================================

    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.



    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project analysis and dump analysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/subscriptions/support/default.aspx.

    ==================================================



    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Steven Cheng[MSFT], Dec 8, 2006
    #1
    1. Advertising

  2. Steven Cheng[MSFT]

    Jay Pondy Guest

    Steven

    Your summary of our problem is exactly correct. Some additional information that
    might help is that under the Internet Information Services - Directory Security
    tab we have every combination of Anonymous and Integrated Windows Authentication
    depending on the application. Most of them have both turned on.

    I have removed the TCP/IP network library and we are now using only Named Pipes
    as you suggested. On Monday morning I will post back with a status of how the
    weekend went.

    I have scoured our event logs many, many times and have not been able to find
    any additional information to help us diagnose and correct this problem.

    I really appreciate you working on this problem with me and if necessary I can
    open an MSDN case for it. Please advise.


    On Fri, 08 Dec 2006 04:28:15 GMT, (Steven
    Cheng[MSFT]) wrote:

    >Hello Jay,
    >
    >From your description, you have some ASP.NET WEB applications hosted on IIS
    >6 and these ASP.NE application will use delegate to access the backend SQL
    >Server(2000) under the user from frontend browser. However, you found the
    >ASP.NET application randomly receive 'NT AUTHORITY\ANONYMOUS LOGON' error,
    >correct?
    >
    >Regarding on this issue, I've performed some research and did found some
    >similar issues in the former cases. However, most of them are caused by
    >some configuration issue. For example, the SQL Server is configured to use
    >a different network port and that network port hasn't be registered for its
    >SPN. However, this should result a expected error rather than randomly
    >occured. I've also found some records about the problem when connecting to
    >SQL Server(through secured kerberos authentication) failed under TCP/IP
    >connection, it indicate that due to the TCP IP port assigned randonly at
    >client, it may make the kerberos authentication failes sometimes. I'm not
    >sure whether may be the case you meet, however, if possible, I suggest you
    >try turning off TCP/IP and use namedpipe protocol for test to see whether
    >it will suffer such issue.
    >
    >In addition, you can check the eventlog on both the ASP.NET server and SQL
    >server backend server to see whether there is any entry could provide some
    >clues.
    >
    >
    >
    >Sincerely,
    >
    >Steven Cheng
    >
    >Microsoft MSDN Online Support Lead
    >
    >
    >
    >==================================================
    >
    >Get notification to my posts through email? Please refer to
    >http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    >ications.
    >
    >
    >
    >Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    >where an initial response from the community or a Microsoft Support
    >Engineer within 1 business day is acceptable. Please note that each follow
    >up response may take approximately 2 business days as the support
    >professional working with you may need further investigation to reach the
    >most efficient resolution. The offering is not appropriate for situations
    >that require urgent, real-time or phone-based interactions or complex
    >project analysis and dump analysis issues. Issues of this nature are best
    >handled working with a dedicated Microsoft Support Engineer by contacting
    >Microsoft Customer Support Services (CSS) at
    >http://msdn.microsoft.com/subscriptions/support/default.aspx.
    >
    >==================================================
    >
    >
    >
    >This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Jay Pondy, Dec 8, 2006
    #2
    1. Advertising

  3. Thanks for your reply Jay,

    As you mentioned

    ================
    under the Internet Information Services - Directory Security
    tab we have every combination of Anonymous and Integrated Windows
    Authentication
    depending on the application. Most of them have both turned on.
    ================

    So you have both used intergrated windows authentication and turn on
    anonymous access in IIS virtual dir? If so, I would suggest you turn off
    "anonymous" access because if you allow anonyumous, the ASP.NET
    application's security context is not generated through client browser and
    IIS server's kerberos exchange, but is the IIS itself create a logon
    session locally, and this security context is likely different from the one
    created from client-server challenge. So you can trun off "anonymous
    access" and force every request to execute under a windows identity
    authenicated from remove client to see whether it also helps.

    Please feel free to post here if there is any update.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Steven Cheng[MSFT], Dec 11, 2006
    #3
  4. Thanks for your followup Jay,

    I'm afraid this issue is abit different from the original symtom I
    expected. So far I haven't found any further useful clues that exactly
    helps on addressing the cause. If necessary, I will recommend you contact
    CSS and open a support incident to troubleshoot this issue.

    Please feel free to let me know if there is anything else we can help.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Steven Cheng[MSFT], Dec 14, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mike Hutton
    Replies:
    2
    Views:
    3,154
    Ken Witmyer
    Nov 11, 2003
  2. Maellic
    Replies:
    3
    Views:
    4,313
    Maellic
    Jan 13, 2004
  3. et
    Replies:
    10
    Views:
    19,263
  4. =?Utf-8?B?QnVnZ3ltYW4=?=

    Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON

    =?Utf-8?B?QnVnZ3ltYW4=?=, Jun 24, 2005, in forum: ASP .Net
    Replies:
    5
    Views:
    47,612
    sangsharma
    Dec 31, 2007
  5. Jay Pondy
    Replies:
    0
    Views:
    720
    Jay Pondy
    Nov 30, 2006
Loading...

Share This Page