A
Andy
The anonymous auth is typically when there is either some sort of delegation
problem or a problem with Kerberos auth itself. What happens is that if the
service impersonating the user cannot authenticate via Kerberos for some
reason, it will try to authenticate via NTLM instead. However, it doesn't
have any NTLM credentials it can use for the impersonated user, so it
instead logs in the NT AUTHORITY\ANONYMOUS user.
Ok, I've looked at a good number of the anonymous logons; the
workstation generating them is either the other DC, my workstation,
the database server, my testing server and my development server.
The first thing I would do there is find out if Kerb auth to SQL itself is
broken or whether the problem is just a function of delegation not working.
Connecting to SQL with a known good client that can do Kerb auth and
checking that audit would be a good way to start. It is possible that you
have an SPN problem in your directory related to SQL. This is especially
likely if you run SQL under an account other than System or Network Service
and did not explicitly set an SPN in AD on the actual account you used.
Well, connecting with SSMS didn't seem to cause anonymous logons, but
my program doesn't seem to be either. So I think those other
anonymous logons were unrelated.
Sql Server is running as the Local System account, except for sql
agent which is running as Network Service.
Is it ok for you to be authenticating to SQL as anonymous? That sort of
begs the question of why try to delegate in the first place.
I don't think anything is authenticating to Sql as anonymous;
certainly not my application, which would fail to run properly.
Except for some low security views where [public] is allowed, all
procs and functions and other views are tied to specific roles only.
Andy