Sladescross's Blog

Blogging about Sharepoint related stuff

SQL Connection ‘NTAUTHORITY\ANONYMOUS LOGON’ August 16, 2010

Filed under: SQl Connection Anonymous Logon — sladescross @ 11:35 am

http://support.microsoft.com/kb/899417/en-us

This issue occurs if the following conditions are true:
The Internet Explorer advanced option Enable Integrated Windows Authentication is enabled.
You use the NetBIOS name to access the Web site, and the name is resolved through Domain Name System (DNS) as a fully qualified domain name (FQDN).
The Web site Service Principal Name (SPN) exists only as an FQDN in the Active Directory directory service.
The value for the DNS Cache Timeout setting is lower than the DNS Time to Live (TTL) setting value.

When you use the WWW-Authenticate: Negotiate method of HTTP authentication, the Internet Explorer client DNS cache entry may expire. When this entry expires, the Wininet.dll file on the client computer uses the Hostname entry in the Uniform Resource Identifier of the HTTP request to request a new SPNEGO token from the domain controller. The Wininet.dll file uses this Hostname entry instead of using the FQDN that was returned from the initial DNS Resolver query.

To work around this problem and reduce the frequency of this error, set the Internet Explorer DNS Cache Timeout value to the same value as the DNS TTL value in the enterprise. To set the Internet Explorer DNS Cache Time-out value, follow these steps:
Click Start, click Run, type Regedit, and then click OK.
To set the Internet Explorer DNS Cache Timeout value per user, locate and then click the following registry subkey:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current Version\Internet Settings
On the Edit menu, point to New, and then click DWORD value.
Type DNSCacheTimeout and then press ENTER.
Click DNSCacheTimeout, click Edit, and then click Modify.
In the Value data box, type the value that you want in seconds, and then click OK.

Note The default value for the DNS TTL is 1800 seconds.
Quit Registry Editor.

http://blogs.msdn.com/b/spatdsg/archive/2007/11/20/kerberos-delegation-end-to-end-part-ii.aspx

Good listing of a problem with Kerberos and the anonymous login.

About these ads
 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 63 other followers