SQL Server 返回错误“用户‘NT AUTHORITY\ANONYMOUS LOGON’登录失败".在 Windows 应用程序中 [英] SQL Server returns error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'." in Windows application
问题描述
一个一直正常运行的应用程序(并且在大约 6 个月左右的时间里没有对其进行任何积极的开发)最近开始无法连接到数据库.运营管理员无法说出可能导致问题发生的更改.
An application that has been working without problem (and has not had any active development done on it in about 6 months or so) recently began failing to connect to database. Operations admins cant say what might have changed that would cause the problem.
客户端应用程序使用 Integrated Security=True 的硬编码连接字符串,但是当应用程序尝试创建与数据库的连接时,它会抛出 SQLException,指出用户‘NT AUTHORITY\ANONYMOUS LOGON’登录失败".
The client application uses a hardcoded connection string with Integrated Security=True, but when the applications attempts to create a connection to the database, it throws an SQLException saying "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON".
我可以使用此帐户通过 Management Studio 登录数据库,没有问题.我在这个问题上看到的所有事情都是针对 ASP.NET 项目的,这显然是双跳问题",作为客户端应用程序最好不要成为问题.任何帮助将不胜感激.
I can log on to the database through Management Studio on this account without problem. All of the things that I have seen for this issue are for ASP.NET projects and it is apparently the "Double Hop Problem" which being a client application darned well better not be a problem. Any help would be greatly appreciated.
客户端计算机和服务器计算机以及用户帐户在同一个域中.当 Windows 防火墙关闭时会发生这种情况.
The client machine and server machine as well as user accounts are on the same domain. This occurs when Windows Firewall is off.
领先的理论是:服务器大约在一周前重新启动,并且未能注册服务主体名称 (SPN).未能注册 SPN 可能会导致集成身份验证回退到 NTLM 而不是 Kerberos.
Leading theory is: Server was restarted about a week or so ago, and failed to register Service Principal Name (SPN). Failure to register an SPN may cause integrated authentication to fall back to NTLM instead of Kerberos.
推荐答案
如果您的问题与链接服务器有关,则需要查看一些事项.
If your issue is with linked servers, you need to look at a few things.
首先,您的用户需要启用委派,如果唯一发生了变化,他们很可能会这样做.否则,您可以取消选中 AD 中的用户属性中的帐户是敏感的,不能被委派"复选框.
First, your users need to have delegation enabled and if the only thing that's changed, it'l likely they do. Otherwise you can uncheck the "Account is sensitive and cannot be delegated" checkbox is the user properties in AD.
其次,必须信任您的服务帐户才能进行委派.由于您最近更改了服务帐户,我怀疑这是罪魁祸首.(http://technet.microsoft.com/en-us/library/cc739474(v=ws.10).aspx)
Second, your service account(s) must be trusted for delegation. Since you recently changed your service account I suspect this is the culprit. (http://technet.microsoft.com/en-us/library/cc739474(v=ws.10).aspx)
您提到您可能有一些 SPN 问题,因此请务必为两个端点设置 SPN,否则您将无法在 AD 中看到委派选项卡.还要确保您处于Active Directory 用户和计算机"中的高级视图.
You mentioned that you might have some SPN issues, so be sure to set the SPN for both endpoints, otherwise you will not be able to see the delegation tab in AD. Also make sure you're in advanced view in "Active Directory Users and Computers."
如果您仍然看不到委派选项卡,即使在更正您的 SPN 之后,请确保您的域不是 2000 模式.如果是,则可以提高域功能级别".
If you still do not see the delegation tab, even after correcting your SPN, make sure your domain not in 2000 mode. If it is, you can "raise domain function level."
此时,您现在可以将帐户标记为受信任以进行委托:
At this point, you can now mark the account as trusted for delegation:
在详细信息窗格中,右键单击您要为其信任的用户委派,然后单击属性".
In the details pane, right-click the user you want to be trusted for delegation, and click Properties.
点击委派选项卡,选择受信任的帐户进行委派复选框,然后单击确定".
Click the Delegation tab, select the Account is trusted for delegation check box, and then click OK.
最后,您还需要将所有计算机设置为受信任的委派.
Finally you will also need to set all the machines as trusted for delegation.
完成此操作后,重新连接到您的 sql 服务器并测试您喜欢的服务器.他们应该工作.
Once you've done this, reconnect to your sql server and test your liked servers. They should work.
这篇关于SQL Server 返回错误“用户‘NT AUTHORITY\ANONYMOUS LOGON’登录失败".在 Windows 应用程序中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
