SQL Server 2008 – Is ‘NT AUTHORITY\ANONYMOUS LOGON’ Login Mandatory?

Securitysql server

My spider senses are tingling when I found this "NT AUTHORITY\ANONYMOUS LOGON" account on a SQL Server logins. I tried to research the matter and I even have a book about SQL Server management. Also all the web searches I've done seem to relate only to login problems. The account is not on the local SQL express installation that I have, so I don't really know if someone added it there and if so, why.

Anyways my take on this is as follows: This account seems to allow login for every people that are in my domain. This just seems wrong and I want to shut it down. My concern is, that if I shut down this account, will applications start to fail login ? Is user/password login considered "anonymous" in this regard ? In other words, do other than AD-accounts need this for the login to work ?

I wish I could just test it, but it could do some damage in production environment.

Best Answer

This account seems to allow login for every people that are in my domain

That is actually incorrect. It allows access to anyone that cannot be authenticated. Members of your domains will successfully authenticate and they will be rejected.

On a serious note: there is absolutely ZERO reasons to have this login enabled. It was added intentionally to your system by somebody, this is not a default configuration. If I'd venture a guess, it would be that somebody tried to configure integrated authentication with impersonation on a web application and did not understand the requirement for 'double hop' constrained delegation. Needless to say, the 'solution' is a huge security hole that requires immediate action. You need to identify the application that uses this login and fix the authentication as appropriate (the link contains the primer on how to set up constrained delegation).

Related Solutions

Sql-server – Login failed for user ‘NT AUTHORITY\ANONYMOUS LOGON’. (MsDtsSrvr)

This appears to be a authentication scheme problem. If my memory serves correctly, the appearance of the ANONYMOUS LOGON is indicative of NTLM being used instead of Kerberos. If your SQL Server service is running under a domain credential, you will need to ensure there is a Service Principle Name (SPN) present for SQL Server. The syntax of the SetSPN command can be found here: SetSPN In short, you must marry a protocol with a TCP Port and the service account. I believe the command will look something like this:

setspn -s MSSQLSvc/Server.Domain:TCPPort Domain\ServiceUser

To verify which authentication scheme your existing connections are using, run the following code:

SELECT
    dec.session_id,
    dec.auth_scheme
FROM sys.dm_exec_connections AS dec

If configured properly for Kerberos, you will see Kerberos in the auth_scheme column. If not, you will see NTLM.

Finally, if your setup requires multi-hop authentication, you will need to configure each subsequent hop before the SQL Server to allow delegation. Inside Active Directory, go to the properties page of the computer or user account that will need to pass through authentication to the SQL Server, go to the Delegation Tab, select "Trust this user for Delegation on Kerberos only", and then select the service that this account will be passing authentication to (search for your SQL Server service account).

Hope this helps,

Matt

Sql-server – db connection uses an anonymous logon instead of the domain user

Reading the manual I found something relevant:

For example IIS 7, in its default configuration, has anonymous authentication enabled with built-in user account IUSR used as a default identity. This means that in order for IIS to execute PHP scripts, it is necessary to grant IUSR account read permission on those scripts. If PHP applications need to perform write operations on certain files or write files into some folders then IUSR account should have write permission to those.

And iis.net has the following relevant information:

This built-in account does not need a password and will be the default identity that is used when anonymous authentication is enabled. If you look in the applicationHost.config file you will see the following definition:

<anonymousAuthentication enabled="true" userName="IUSR" defaultLogonDomain="" />

This tells IIS to use the new built-in account for all anonymous authentication requests.

Hope it helps

Best Answer

Related Solutions

Sql-server – Login failed for user ‘NT AUTHORITY\ANONYMOUS LOGON’. (MsDtsSrvr)

Sql-server – db connection uses an anonymous logon instead of the domain user

Related Question