Home
Microsoft

Symptoms

  • SQL-SQL linked server connections and distributed query execution fails due to an error message NT AUTHORITY\ANONOYMOUS LOGON after installing Windows security patches that are released in March 2019
  • SQL linked server connection initiated from a client application that runs on a different (third server) machine which is different than two SQL Server machines that are part of the linked server or its “double-hop” scenario
  • The SQL Servers Kerberos configuration and delegation settings are as expected and used to work without issues
  • Either intermittent failures or works until the Kerberos ticket life time expires. For e.g. 10 hours.
  • Issue started occurring after applying recent windows security patches that are released in the month of March 2019

 

Cause(s)

https://support.microsoft.com/en-us/help/4489878  - March 12, 2019—KB4489878 (Monthly Rollup) 

 



Resolution

  • Microsoft Windows team is working on releasing a fix and will provide an update in an upcoming release.
  • The following are the workarounds to mitigate the issue scenario
    1. Purge the Kerberos tickets on the application server. The Kerberos tickets need to be purged before the ticket expiration.  One of the ways to automate, setup a scheduled task on the application servers to purge the Kerberos tickets for every few hours are before the Kerberos token expires.
    2. Uninstall KB 4489878
    3. Some customer had to uninstall all the windows security patches that are released in the month of March 2019 from the SQL Server machines and reboot the machines
    4. If issue still happens even after uninstalling the windows security patches, restart the application server or the application that opens SQL-SQL linked server connection. e.g.  Restart the IIS or the application pool that access SQL Server or the application which can be windows service, console or client / server application
    5. For more information please review 4489878