Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'

Question

Post reply

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'

SQL_NuB

Hall of Fame

Points: 3666
More actions
January 7, 2010 at 7:13 am

#219078

I have 2 servers, a web server and my SQL db server. One my db server I'm getting the following error message in the event viewer every second. The actual error message is:
Event ID: 18456
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. [CLIENT: xx.xxx.x.xxx]
My question is, is the client IP address, is that the server that the ID is trying to connect or trying to connect to my db server from?
In my troubleshooting, I shut down all of my web sites on my web server, however the error message still popped up every second. How can I figure out what app is even trying to connect?

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic. Login to reply

Shawn Melton SSC-Insane Points: 24685 More actions · Answer 1

The IP in the error would be the source the connection attempt is coming from.

Shawn Melton
Twitter: @wsmelton
Blog: wsmelton.github.com
Github: wsmelton

SQL_NuB Hall of Fame Points: 3666 More actions · Answer 2

OK, however, I shut down all of the web sites on my web server and the error is still popping up.

Shawn Melton SSC-Insane Points: 24685 More actions · Answer 3

Try stopping the Application Pools associated with each web site.

Shawn Melton
Twitter: @wsmelton
Blog: wsmelton.github.com
Github: wsmelton

SQL_NuB Hall of Fame Points: 3666 More actions · Answer 4

did that as well as stopping all of the web sites and the error is still popping up on my db server

the error is appearing every minute to the second

Shawn Melton SSC-Insane Points: 24685 More actions · Answer 5

well since all the sites are stopped, try stopping IIS services. If that error still occurs, I would check the default trace file to see if it may show something more detailed.

Shawn Melton
Twitter: @wsmelton
Blog: wsmelton.github.com
Github: wsmelton

SQL_NuB Hall of Fame Points: 3666 More actions · Answer 6

did that, as well as a sql trace and that didn't show me anything out of the ordinary. All of the ID's were coming from web sites on a different web server and nothing was coming from the server with the IP address defined in the error message

Shawn Melton SSC-Insane Points: 24685 More actions · Answer 7

What is the message in the log prior to the Login failed?

Shawn Melton
Twitter: @wsmelton
Blog: wsmelton.github.com
Github: wsmelton

SQL_NuB Hall of Fame Points: 3666 More actions · Answer 8

the message in the event viewer?

(i had a moment)

here is what is right before the login error happens:

2010-01-07 00:02:48.46 spid51 Using 'xpsqlbot.dll' version '2005.90.3042' to execute extended stored procedure 'xp_qv'. This is an informational message only; no user action is required.

2010-01-07 00:02:50.23 spid51 Using 'xpstar90.dll' version '2005.90.3310' to execute extended stored procedure 'xp_instance_regread'. This is an informational message only; no user action is required.

2010-01-07 00:02:51.35 spid51 Using 'xplog70.dll' version '2005.90.3042' to execute extended stored procedure 'xp_msver'. This is an informational message only; no user action is required.

2010-01-07 00:03:29.48 Logon Error: 18456, Severity: 14, State: 11.

2010-01-07 00:03:29.48 Logon Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. [CLIENT: xx.xxx.x.xxx]

Shawn Melton SSC-Insane Points: 24685 More actions · Answer 9

Well...there is something running on that server (CLIENT: xx.xx.xx.xx) that's trying to connect, at least from that error message. I am at bit of a loss on advice to give you in figuring it out.

You could viewing the services console on that client to see if any of the services that are "started" are using that username. Then view task manager to see if that username beside any process running.

Shawn Melton
Twitter: @wsmelton
Blog: wsmelton.github.com
Github: wsmelton

SQL_NuB Hall of Fame Points: 3666 More actions · Answer 10

I'm at a loss myself with this. I've stopped IIS, stopped all sites, stopped all web related services on my web server in general, but yet it's still happening. This one has my "scratching my head" that's for sure

SQL_NuB Hall of Fame Points: 3666 More actions · Answer 11

[bump]

I found the issue, it was a Dundas Service that someone installed and was running on the web server that was using the wrong ID and PWD.

Gift Peddie SSC Guru Points: 73570 More actions · Answer 12

SQL_NuB (1/7/2010)
[bump]
I found the issue, it was a Dundas Service that someone installed and was running on the web server that was using the wrong ID and PWD.

Are you sure it is Dundas Service? This error is related to the Asp.net runtime permissions so if it is related to Dundas Service then it maybe running with the Asp.net runtime account. The reason is double hop when the web server and SQL Server are in separate boxes, in forms authentication enabling impersonation in IIS will fix it and in Windows authentication authorization section will fix it.

Kind regards,
Gift Peddie

SQL_NuB Hall of Fame Points: 3666 More actions · Answer 13

yes, as soon I stopped the dundas service that connects to SQL, the error stopped, once I started it up again, the error started again.

Gift Peddie SSC Guru Points: 73570 More actions · Answer 14

SQL_NuB (1/7/2010)
yes, as soon I stopped the dundas service that connects to SQL, the error stopped, once I started it up again, the error started again.

Then it must be running with the Asp.net runtime, this may cause some problems for you if the application scales.

Kind regards,
Gift Peddie