SQL-SQL linked server connections and distributed query execution fails due to an error message NT AUTHORITY\ANONOYMOUS LOGON after installing Windows security patches that are released in March 2019
SQL linked server connection initiated from a client application that runs on a different (third server) machine which is different than two SQL Server machines that are part of the linked server or its “double-hop” scenario
The SQL Servers Kerberos configuration and delegation settings are as expected and used to work without issues
Either intermittent failures or works until the Kerberos ticket life time expires. For e.g. 10 hours.
Issue started occurring after applying recent windows security patches that are released in the month of March 2019
Microsoft Windows team is working on releasing a fix and will provide an update in an upcoming release.
The following are the workarounds to mitigate the issue scenario
Purge the Kerberos tickets on the application server. The Kerberos tickets need to be purged before the ticket expiration. One of the ways to automate, setup a scheduled task on the application servers to purge the Kerberos tickets for every few hours are before the Kerberos token expires.
Some customer had to uninstall all the windows security patches that are released in the month of March 2019 from the SQL Server machines and reboot the machines
If issue still happens even after uninstalling the windows security patches, restart the application server or the application that opens SQL-SQL linked server connection. e.g. Restart the IIS or the application pool that access SQL Server or the application which can be windows service, console or client / server application