21

I see that many people get this error, but their situations all appear a little different from mine.

I have a ASP.NET 4.0 web app that runs in IIS 6.0 on a Windows 2003 Server.

When I Remote to the web server box and log on there and access the site as localhost rather than by machine name, the web app works fine. However, when I access the web site from another client machine, I get the following error:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'

The web site has Anonymous access turned Windows Authentication turned on. The web app contains the following:

    <authentication mode="Windows">    </authentication>
    <identity impersonate="true"/>

  <connectionStrings>
      <add name="MyConnection" connectionString="Data Source=MyDbServer;Initial Catalog=MyDatabase;Integrated Security=True"
</connectionStrings>

My web server is running on a Virtual Server. Is this relevant? I assume not.

Note that if I add my domain\login and password in the web config after Impersonation = TRUE, the site works.

Chad
  • 21,566
  • 46
  • 173
  • 299
  • It really sounds like you have Enable anonymous access checked but the selected user does not have the proper rights. Also, you have this tagged with Server 2008 but you say in the body that you're using 2003. – 500 - Internal Server Error Jun 09 '12 at 00:47
  • I don't think so, because when I log on as MyDomain\MyID to the web server and access http://localhost/mysite, the web site works. When I am logged onto my PC and access the site using http://webservername/mysite/ I get the LogonFailed error for anonymouse logon. However, when I remote to the web server and log on to web server with an ID that does not have access to the database, I get the error Cannot open database "MyDatabase" requested by the login. The login failed. Login failed for user 'MyDomain\MyID' (not anonymous). Furthermore, I can connect to the db using SSMS and Windows Auth . – Chad Jun 09 '12 at 02:08
  • Just curious, what browser are you using to test? – nunespascal Jun 11 '12 at 05:17
  • OK, I changed Integrated Security=True to Trusted_Connection=Yes, but the article that you referred me to states that I should be be using authentication mode = Windows, which I think is correct. However, I nevertheless tried to change it to Forms but had no luck. we only use IE internally, but point taken about Firefox. – Chad Jun 11 '12 at 13:12

3 Answers3

39

It sounds like you're running into what's called a "double-hop" issue, which is where the server is not being trusted to pass the client's credentials on to another box (hop 1 is the credentials to the IIS box, hop 2 is from the IIS box to the SQL Server).

When you're logged directly into the server, the second hop doesn't need to take place since it's just passing credentials directly from the client machine (the IIS server in this scenario) directly to the SQL Server. Likewise, if the SQL Server lived on the IIS box, you wouldn't have this error either, since the client would only be making the one request to a box that could share the credentials with both IIS and SQL Server.

There are quite a few steps required to get the delegation to work, such as trusting the servers for delegation, creating SPNs and making sure that other proper permissions are given to the account that IIS is using to run the web site. There is a technet article that can help take you through a lot of the required steps here: https://docs.microsoft.com/en-us/archive/blogs/taraj/checklist-for-double-hop-issues-iis-and-sql-server

Note: if you're using NTLM and not Kerberos (or another delegatable protocol), it will not work, as the middle server (the IIS server) needs to have a token that it can pass along. Since NTLM is based on negotiation, it won't work.

2020 Update: if you're starting to see this issue popup again, and it's only affecting Windows 10 users, or Windows 2016+ users, it's likely that "Credential Guard" is being enforced on your users' machines (see: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements). One of the things that breaks is Kerberos unconstrained delegation - so if this has happened to you, you'll likely need to reconfigure the middle box (the IIS server in the example above) to use constrained delegation instead of unconstrained delegation.

Chris Young
  • 1,651
  • 11
  • 17
  • Nice answer. I've linked back to this one from a more recent question here, where scenario is different, but symptom and root cause are the same: https://stackoverflow.com/questions/47871816/how-to-run-an-r-script-which-has-database-connection-using-integrated-windows-a/47877987#47877987 – T-Heron Dec 21 '17 at 12:40
6

The problem here is you are using 

<authentication mode="Windows">    </authentication>

This needs your browser to send NTLM credentials. Firefox does not send this by default.

When you on the the server and use localhost, your browser is sending your windows login credentials to the server. It is authenticating and giving access to the user, MyDomain\MyID.

ASP.NET impersonates the token passed to it by IIS, which is either an authenticated user or the anonymous Internet user account (IUSR_machinename).

All your web requests, that occur from machines that are not on that domain, will run under the anonymous account. In your case, NT AUTHORITY\ANONYMOUS LOGON

Your connection string is using, Integrated Security=True. That means the windows account under which the asp.net thread is processing must have access to the database too. If you want to pass the the windows credentials used to login to IIS you have to set, Trusted_Connection=Yes.

Refer: How to: Access SQL Server Using Windows Integrated Security

I suggest that you take a look at forms authentication, if you plan to expose this webservice on the web, or if you want to make it available to users who are not the same domain as your server.

nunespascal
  • 17,118
  • 2
  • 37
  • 42
  • BTW, check the first 2 sentences of your post for typos. :-) Note, I should have also mentioned that I remoted to another PC and signed in with an ID that was on the same Domain as my web site and I got the same error. Are you sure that the Windows Account under which ASPNET is running needs access to the db too if Integrated Security is used? I thought the point of setting IMPERSONATION = TRUE meant that it should be impersonation the current user. – Chad Jun 11 '12 at 04:36
  • Corrected. Added some more clarification. – nunespascal Jun 11 '12 at 05:15
  • I noticed something in the article that I previously missed: If the SQL Server is on a remote server, in IIS, clear Windows Authentication and select Basic. but when I do this, the user is prompted to enter the same Windows LAN credentials that he used to log on originally to his PC. This is inconvenient and why is it necessary? Furthermore, there is a warning to the user that if he enters his usercode\pwd that it is being sent insecurely. – Chad Jun 11 '12 at 13:22
2

I found that the issue for me was that in IIS I had Windows Authentication instead of Basic Authentication enabled. As soon as I switched to Basic Authentication, I was able to access the SQL Server under the logged in account.

In IIS, only Basic Authentication logs users on with a security token that flows across the network to a remote SQL server. By default, other IIS security modes used in conjunction with the identity configuration element settings will not result in a token that can authenticate to a remote SQL Server.

From: http://msdn.microsoft.com/en-us/library/bsz5788z.aspx

Mike Pollitt
  • 1,247
  • 12
  • 11