Forum Discussion

AndreUys's avatar
AndreUys
Copper Contributor
May 21, 2022

IIS strange NT AUTHORITY\ANONYMOUS LOGON with Chrome browsers

I need some help troubleshooting why, when using a Chrome browser user gets error Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' while using an Edge browser users do not. I have multiple web application hosted on that server, all intranet based using windows authentication with impersonation.

 

Another strange observation, when Chrome users connect to the web app they receive this error, now if they open same site in Edge, they authenticate just fine and then on refreshing the Chrome browser they are able to authenticate in Chrome....

 

I have a few users that can't connect in either browser.

 

Here is my configuration. Using IIS 10 and SQL Server. The app and db servers have Kerberos enabled using a service account.

 

Some key IIS settings:

App Pool - V4.0 Classic using service account, provisioned for Kerberos. Load user Profile is set to False

 

Authentication: (The following are enabled)

  • ASP.NET Impersonation - Identity to Impersonate - Authenticated User
  • Windows Authentication -
    • Advanced Settings
      • Accept Extended Protection and Enable Kernel-mode auth
    • Providers set to Negotiate then NTLM

App Settings:

  • system.webServer/security/authentication/windowsAuthentication
    • authPersistSingleRequest = False
    • Enabled = True
    • useAppPoolCredentials = True
    • userKernelMode = True

Any guidance greatly appreciated.

 

Andre

 

Full Error:

Server Error in '/' Application.

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:


[SqlException (0x80131904): Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.]
   System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection) +345
   System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection) +156
   System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection) +258
   System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions) +312
   System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource`1 retry) +202
   System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry) +413
   System.Data.SqlClient.SqlConnection.Open() +128
   GATES2._0.Helpers.CurrentReviewPeriodMonth() in C:\Users\myusername\Documents\Visual Studio 2019\GATES 2.0\GATES2.0\GATES2.0\Helpers.cs:2187
   GATES2._0.Default.Page_Load(Object sender, EventArgs e) in C:\Users\myusername\Documents\Visual Studio 2019\GATES 2.0\GATES2.0\GATES2.0\Default.aspx.cs:71
   System.Web.UI.Control.OnLoad(EventArgs e) +106
   System.Web.UI.Control.LoadRecursive() +68
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3785


Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.7.3770.0

 

Chrome
IIS
IIS Windows Authentication
NT AUTHORITY ANONYMOUS LOGON
  • AndreUys's avatar
    AndreUys
    Copper Contributor
    May 21, 2022
    Found something on this today and tested on my machine with success. Will have a few others in my organization test before I confirm this.

    We previously whitelisted our domain using the registry key Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome with AuthNegotiateDelegateWhitelist value *.mycompanyname.com

    Google changed WhiteList to AllowList see article https://support.google.com/chrome/a/answer/7679408#noNonIncl

    Replacing AuthNegotiateDelegateWhitelist with AuthNegotiateDelegateAllowlist seems to solve the problem


Resources