Login failed for NT Authority\Anonymous Logon

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Adnan Al-Ghourabi
    #1

    Login failed for NT Authority\Anonymous Logon

    Hi,

    We have an application running on IIS 6.0, on a windows 2003 box. The
    back-end database, a SQL Server 2000, runs on anohter server, windows 2000.

    We have enabled integrated authentication, and provided the windows account
    the appropriate permissions in SQL Server.

    If running the application locally on the server, the user authenticates
    fine. When accessing the application remotely, a SQL exception, "Login failed
    for NT Authority\Anony mous Logon", is thrown.

    The website node only allows windows integrated authentication. The
    Web.config has been setup correctly to allow identity impersonation and
    windows authentication.

    Note that we have a number of users who access this applicaiton. They all
    belong to one Active Directory group.

    From my research, I can see that the issue is related to delegation
    permissions, hence the ability to authenticate locally on the server and not
    remotely given the extra "hop".

    My question is, what are the exact permissions that will need to be set in
    order to allow users to authenticate when accessing the application remotely?
    What should the identity be for the application pool?

    Thanks for your help!

    Adnan
    Tags: None
    • Norman Yuan
      #2
      Re: Login failed for NT Authority\Anony mous Logon

      It seems obvious that the web app is allowed anonymous access although
      accroding to you that the web.config for the web app is configured for
      Window authentication and impersonation is enabled.

      It is possible that the IIS setup on that web app is not correct. Remember,
      ASP.NET is run on top of IIS. So, the IIS must be set up correctly before
      ASP.NET App's web.config can work correctly.

      To enforce Windows authentication and impersonate the ASP.NET running
      account to a diferent (domain or machine) user account (instead of
      ASPNET/Network Service), you must not allow anonymous access. In IIS
      Manager, right-click the web app and select "Propoertie s->Directory
      Security", click "Edit..." button in "Authentication ..." box, Then in
      "Authentica tion Method" dialog, make sure ONLY "Integrated Windows
      authentication" is checked.


      "Adnan Al-Ghourabi" <alghourabi at yahoo.comwrote in message
      news:2F6B79ED-B4EE-485B-A18B-6135C324A3A4@mi crosoft.com...
      Hi,
      >
      We have an application running on IIS 6.0, on a windows 2003 box. The
      back-end database, a SQL Server 2000, runs on anohter server, windows
      2000.
      >
      We have enabled integrated authentication, and provided the windows
      account
      the appropriate permissions in SQL Server.
      >
      If running the application locally on the server, the user authenticates
      fine. When accessing the application remotely, a SQL exception, "Login
      failed
      for NT Authority\Anony mous Logon", is thrown.
      >
      The website node only allows windows integrated authentication. The
      Web.config has been setup correctly to allow identity impersonation and
      windows authentication.
      >
      Note that we have a number of users who access this applicaiton. They all
      belong to one Active Directory group.
      >
      From my research, I can see that the issue is related to delegation
      permissions, hence the ability to authenticate locally on the server and
      not
      remotely given the extra "hop".
      >
      My question is, what are the exact permissions that will need to be set in
      order to allow users to authenticate when accessing the application
      remotely?
      What should the identity be for the application pool?
      >
      Thanks for your help!
      >
      Adnan

        Comment

        • Adnan Al-Ghourabi
          #3
          Re: Login failed for NT Authority\Anony mous Logon

          Hi Norman,

          Thanks for your reply.

          Only integrated authentication is enabled in IIS; anonymous access IS
          disabled. I know for sure that the problem is related to delegation as I
          mentioned in my post.

          I did come across a solution online:

          Microsoft Learn: Build with answers in reach
          http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/
          Find official documentation, practical know-how, and expert guidance for builders working and troubleshooting in Microsoft products.


          I haven't implemented that solution yet, but it does address the exact
          problem I am having.

          Thanks!

          Adnan

          "Norman Yuan" wrote:
          It seems obvious that the web app is allowed anonymous access although
          accroding to you that the web.config for the web app is configured for
          Window authentication and impersonation is enabled.
          >
          It is possible that the IIS setup on that web app is not correct. Remember,
          ASP.NET is run on top of IIS. So, the IIS must be set up correctly before
          ASP.NET App's web.config can work correctly.
          >
          To enforce Windows authentication and impersonate the ASP.NET running
          account to a diferent (domain or machine) user account (instead of
          ASPNET/Network Service), you must not allow anonymous access. In IIS
          Manager, right-click the web app and select "Propoertie s->Directory
          Security", click "Edit..." button in "Authentication ..." box, Then in
          "Authentica tion Method" dialog, make sure ONLY "Integrated Windows
          authentication" is checked.
          >
          >
          "Adnan Al-Ghourabi" <alghourabi at yahoo.comwrote in message
          news:2F6B79ED-B4EE-485B-A18B-6135C324A3A4@mi crosoft.com...
          Hi,

          We have an application running on IIS 6.0, on a windows 2003 box. The
          back-end database, a SQL Server 2000, runs on anohter server, windows
          2000.

          We have enabled integrated authentication, and provided the windows
          account
          the appropriate permissions in SQL Server.

          If running the application locally on the server, the user authenticates
          fine. When accessing the application remotely, a SQL exception, "Login
          failed
          for NT Authority\Anony mous Logon", is thrown.

          The website node only allows windows integrated authentication. The
          Web.config has been setup correctly to allow identity impersonation and
          windows authentication.

          Note that we have a number of users who access this applicaiton. They all
          belong to one Active Directory group.

          From my research, I can see that the issue is related to delegation
          permissions, hence the ability to authenticate locally on the server and
          not
          remotely given the extra "hop".

          My question is, what are the exact permissions that will need to be set in
          order to allow users to authenticate when accessing the application
          remotely?
          What should the identity be for the application pool?

          Thanks for your help!

          Adnan
          >
          >
          >

            Comment

            Previous template Next
            Working...