SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


What is user account 'NT AUTHORITY\ANONYMOUS LOGON' ?


What is user account 'NT AUTHORITY\ANONYMOUS LOGON' ?

Author
Message
don-357257
don-357257
Valued Member
Valued Member (72 reputation)Valued Member (72 reputation)Valued Member (72 reputation)Valued Member (72 reputation)Valued Member (72 reputation)Valued Member (72 reputation)Valued Member (72 reputation)Valued Member (72 reputation)

Group: General Forum Members
Points: 72 Visits: 215
I have recently inherited a SQL Instance containing a number of databases.
These databases contain a user account called 'NT AUTHORITY\ANONYMOUS LOGON' and this user account is granted a specific select permission on a specific user table.
(The public role has also been assigned various select privileges to various tables, so presumably the 'NT AUTHORITY\ANONYMOUS LOGON' user account also has these privileges.

But I don't understand what this user account is......

Who uses it?
Who is able to connect to the database with this user account?
(There is also a server login called 'NT AUTHORITY\ANONYMOUS LOGON' which is mapped to the equivalent account in each database.

I've done an internet search and come across numerous posts related to error messages for "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'."
But I want to take one step back and find out why such a user account is needed in the first place?

Any thoughts?
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (25K reputation)

Group: Moderators
Points: 25210 Visits: 1917
When the OS can't validate who you are, you are NT AUTHORITY\ANONYMOUS LOGON. You typically see this in double hop situations like when you have a client connecting to SSRS and SSRS isn't on the same server as the SQL Server where the DB is located. As you might have guessed, they shouldn't have done this. Typically the right answer is to get Kerberos delegation correct.

It sounds like you need to track down the whys as to this security hole and figure out where it's coming from and get that fixed.

K. Brian Kelley
@‌kbriankelley
don-357257
don-357257
Valued Member
Valued Member (72 reputation)Valued Member (72 reputation)Valued Member (72 reputation)Valued Member (72 reputation)Valued Member (72 reputation)Valued Member (72 reputation)Valued Member (72 reputation)Valued Member (72 reputation)

Group: General Forum Members
Points: 72 Visits: 215
Thanks Brian, it looks like I need to do some further investigation.

Unfortunately the previous dba has now left the company.

Being relatively new to the role myself, I need to learn more about Kerberos delegation......

I am rather worried about non-validated users having permission to read some db tables, and I can't think of what valid reasons there may be to allow this.

Presumably we have the guest user account 'if' we wanted general users to perform certain actions with the database.
Thus NT AUTHORITY\ANONYMOUS seems to be quite a security risk - though I appreciate I don't fully understand the purpose of the account, or implications of having it.

If you're able to direct me to any further reading on this topic, I would gratefully receive it :-)
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (25K reputation)

Group: Moderators
Points: 25210 Visits: 1917
I have an article on here that talks about Kerberos authentication:

Configuring Kerberos Authentication

That's a good starting point to understand what is happening.

K. Brian Kelley
@‌kbriankelley
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search