KB16213 - NT AUTHORITY\ANONYMOUS LOGON SQL
Environment
- BlackBerry® Enterprise Server for IBM® Lotus® Domino®
- Microsoft® SQL Server 2000 and 2005
Overview
When the BlackBerry Dispatcher (or another BlackBerry® Enterprise Server service) attempts to communicate with the Microsoft SQL Server, the following error is reported:
NT AUTHORITY\ANONYMOUS LOGON'.0x80040E4D NativeError=18456
Cause
This issue can occur under the following scenarios:
- Microsoft SQL Server 2000 was installed using a different account than the account used in Microsoft SQL Server 2005. The account used in Microsoft SQL Server 2000 was Local System Admin, or belonged to Domain Admins.
- In Microsoft SQL Server 2000, the BlackBerry Enterprise Server connects over Named Pipes, which is turned on by default. Named Pipes is not turned on by default in Microsoft SQL Server 2005. BlackBerry Enterprise Server services do not authenticate over Transmission Control Protocol/Internet Protocol (TCP/IP), but successfully connect over Named Pipes, so this error does not occur.
- The machine name is changed after setup.
- The server has been reimaged.
Resolution
If Structured Query Language (SQL) is not running under an account with Domain Admin rights, or as the local admin account, then the Service Principal Name (SPN) is not registering in Active Directory (AD) for this SQL instance.
The SPN registry entry appears as the following:
MSSQLSvc/:
When a client attempts to make a TCP/IP connection using the Local System account and the SPN for the SQL instance is not registered, the client connection does not complete over to NT Lan Manager (NTLM). When NTLM is used, LocalSystem inherits a NULL value from the system context. When the NULL value is passed across the network, the context becomes AnonymousLogon. AnonymousLogon is not allowed to connect because of the built in SQL Security architecture.
Complete one of the following workarounds to allow the SPN to register and avoid this issue:
- Run the Instance under local system account. For the steps to perform this workaround, refer to KB12096.
- Run the Instance with an account that has Domain Admin rights.
- Delegate permissions to the current account to modify SPNs. For more information about permissions, refer to article 772895 on the Microsoft® Technet site.
Complete the following steps to resolve the issue:
- Determine whether the SPN is registered incorrectly or not registered at all by opening a command prompt and typing the following command: setspn -L /
If no information is returned, then the SPN is not set for this Microsoft SQL Server instance. If information is returned, the SPN has to be deleted first.
Type the following command to delete the SPN:
setspn -d MSSQLSvc/
- To resolve the issue without changing the SQL service account or the permissions associated with the SQL service account, the Domain Admin must manually register the SQL instance SPN for the account that runs the MSSQLsvc. Type the following command to complete this task:
setspn -A MSSQLSvc/:1433
Additional Information
Additional information can be found in the following locations:
For more information about system contexts, refer to
article 132679 on the Microsoft Support site.
To
download the SetSpn utility, search for SetSpn utility from the
Microsoft Downloads site.
For more information on how to use the SetSPN utility, refer to
article 773257 on the Microsoft® Technet site.
Kb16213 - nt authority\anonymous logon sql
Linear Mode
