Microsoft KB Archive/925843

= FIX: Error message when you use the SQL Server Native Client provider to run queries between two linked servers in SQL Server 2005 Service Pack 1: &quot;Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'&quot; =

Article ID: 925843

Article Last Modified on 11/4/2007

-

APPLIES TO


 * Microsoft SQL Server 2005 Service Pack 1

-



Bug #: 50000288 (SQL Hotfix)

Bug #: 50000204 (SQL Hotfix)



For more information about how to resolve this issue in Microsoft SQL Server 2005, click the following article number to view the article in the Microsoft Knowledge Base:

925001 FIX: Error message when you run queries between two SQL Server 2005 linked servers: &quot;Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'&quot;

Microsoft distributes Microsoft SQL Server 2005 fixes as one downloadable file. Because the fixes are cumulative, each new release contains all the hotfixes and all the security fixes that were included with the previous SQL Server 2005 fix release.



SUMMARY
This article describes the following about this hotfix release:
 * The issues that are fixed by the hotfix package
 * The prerequisites for applying the hotfix package
 * Information about whether you must restart the computer after you apply the hotfix package
 * Information about whether the hotfix package is replaced by any other hotfix package
 * Information about whether you must make any registry changes after you apply the hotfix package
 * The files that are contained in the hotfix package



SYMPTOMS
In Microsoft SQL Server 2005 Service Pack 1 (SP1), you use the SQL Server Native Client provider to run queries between two SQL Server 2005 linked servers. After you do this, you may receive the following error message:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'

You receive this error message if the following conditions are true:
 * You use the TCP/IP protocol.
 * You enable Kerberos authentication for the connection between the linked computers.

Typically, all other queries in the session fail and you receive the same error message. This problem continues until the source SQL Server service is restarted.

Notes
 * You cannot run the DBCC FREESESSIONCACHE statement to resolve this problem.
 * This article discusses one possible cause of this error message. The hotfix that is mentioned in this article will only resolve this problem if your scenario is identical to the scenario that is described here.



CAUSE
This problem occurs because of a problem in the SQL Server Native Client provider. The handles that the Kerberos connection creates to some connection modules are prematurely released.



Service pack information
To resolve this problem, obtain the latest service pack for SQL Server 2005. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

913089 How to obtain the latest service pack for SQL Server 2005

Hotfix information
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Prerequisites
You must have SQL Server 2005 Service Pack 1 (SP1) installed to apply this hotfix.

For more information about how to obtain SQL Server 2005 Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:

913089 How to obtain the latest service pack for SQL Server 2005

Restart information
You do not have to restart the computer after you apply this hotfix.

Registry information
You do not have to change the registry.

Hotfix file information
This hotfix contains only those files that are required to correct the issues that this article lists. This hotfix may not contain of all the files that you must have to fully update a product to the latest build.

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Microsoft SQL Server 2005, x86


WORKAROUND
To work around this problem, configure the connection between the two SQL Server linked servers to use the Named Pipes protocol instead of the TCP/IP protocol. The Named Pipes protocol does not use Kerberos authentication at the SQL Server level. To configure the connection, follow these steps.

Note In these steps, the source server name is Server1, and the target server name is Server 2.  Make sure that the Named Pipes protocol is enabled on both linked servers.

To determine whether the Named Pipes protocol is enabled on both linked servers, run the following command at a command prompt on the source computer that is running SQL Server:

Sqlcmd –E –Snp:Server2

If this command fails, the Named Pipes protocol is probably not enabled on one or both of the SQL Server linked servers. To enable the Named Pipes protocol, use SQL Server Configuration Manager. If the command in step 1 succeeds, use one of the following methods:  Drop the existing linked server configuration. Create a new linked server configuration that uses a different name and the Named Pipes protocol. On Server 1, execute the following statements to configure a linked server that uses the Named Pipes protocol to connect to Server2:

EXEC sp_addlinkedserver @server='Server2', @srvproduct='', @provider='SQLNCLI', @datasrc='np:Server2', @provstr='Integrated Security=SSPI'

</ul> </li> On Server 1, open SQL Server Management Studio, and then create a new query.</li>  In the query window, run the following linked server query against Server2 to determine whether the Named Pipes protocol is used:

select net_transport, auth_scheme from Server2.master.sys.dm_exec_connections where session_id=@@spid

If the Named Pipes protocol is being used, you receive the following result: <pre class="fixed_text">net_transport     auth_scheme -      --- Named pipe      NTLM </li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the&quot;Applies to&quot; section. This problem was first corrected in SQL Server 2005 Service Pack 2.

<div class="references_section">