Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' RRS feed


All replies

  • Hi Igor.

    I have seen people with issues like this before, what they found out was that using foundation and external content types, requires that the external SQL resides on the same server. Else, you would have to use kerberos to be able to do the multi hop to the data source(I think that was the reason).

    Do a quick search and you will find that examples using BCS and Foundation has SQL on the same server.

    DOn't know if this will help you, but I think that this is what you are facing.


    Thomas Balkeståhl - Technical Specialist - SharePoint -
    Download the SharePoint Branding Project here

    Friday, May 4, 2012 12:30 PM
  • Hi, You may refer this link

    It may help you

    Satyam MCITP, MCPD

    Friday, May 4, 2012 1:03 PM
  • Hi Igor,

    This is what happens if you try to use pass-through authentication  and the database is on a separate server, and you are using NTLM.

    With pass-through you are asking BCS to use the identity of the currently logged-in user to talk to the database (or other external system). This is not a bad strategy if you are giving individual users access to your database. The problem arises if the database is on another machine, because NTLM doesn't have the ability to pass the identity on (a process called delegation) and will instead try to connect to the back-end system anonymously. This is commonly known as the "double-hop problem".

    There are a couple of ways around this. One is to implement Kerberos (Configure Kerberos authentication for SharePoint 2010 Products (white paper)), which is nothing like as difficult to configure as some people suggest. But it isn't trivial. The other option is to use impersonation by making use of the Secure Store Service. The Secure Store Service can be configured either to cache a user's credentials (which means they will have to enter them again at some point when prompted), or you can configure a database access account and allow a group of users to use this account. The drawback of this second method is that you lose the audit trail of who did what in the database.

    If you have created the BCS through the Visual Studio then DLL interfaces work like a back end for Business Connectivity Services, thus the actual the back end is completely abstracted from the Business Connectivity Services stack. Because the .NET Framework assembly DLL is loaded in process with Business Connectivity Services, there are no security requirements. It is always considered as "Passthrough". Please take a look at this article Differences Between Using the .NET Assembly Connector and Writing a Custom Connector

    So I would suggest you to use Secure Store Services. Please take a look at these articles:


    Lightning Tools LogoLightning Tools Check out our SharePoint tools and web parts | Lightning Tools Blog

    Saturday, May 5, 2012 11:38 AM
  • Hello Dmitry,

    Thanks a lot for your response. I found it very helpful. I have a few questions:

    1. As far as I understand you recommend to use Secure Store Services instead of Kerberos authentication which is very difficult to configure.

    2. On my SharePoint Foundation 2010, I did not find Secure Store Service (I went to "Manage services on server"). How can I get this service running on my server?

    Thanks a lot,


    Monday, May 7, 2012 12:48 PM
  • Hi Igor.

    Unfortunately, the Secure Store Service Application is a SharePoint Server 2010 Standard feature. For reference, see:

    Compare SharePoint Editions

    Besides that, I think that once you get to know Kerberos, its not all that bad :-)


    Thomas Balkeståhl - Technical Specialist - SharePoint -
    Download the SharePoint Branding Project here

    • Marked as answer by Sally Tang Monday, May 14, 2012 1:46 AM
    Monday, May 7, 2012 12:56 PM