Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Token-based server access validation failed

Question

As the title states, I'm getting the following error when attempting to use a ASP.NET webapp:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: 192.168.x.x]

This is from the "Application" log on the SQL server. I currently have a clustered setup (using Microsoft Failover Cluster) although the second node has not been configured yet. I've tried configuring SPNs:

setspn -L myserviceaccount

Registered ServicePrincipalNames for <DN>:
        MSSQLSvc/*SQL.corp.*.local:1433
        MSSQLSvc/*SQL.corp.*.local

And indeed, SQL Server does register it correctly as per its logs:

Message The SQL Server Network Interface library successfully registered the Service Principal Name (SPN) [ MSSQLSvc/my.sql.fqdn ] for the SQL Server service.

However, the query SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@spid ; returns NTLM and not Kerberos. I've restarted the server a few times to no avail. SQL Server runs under a domain user account with the appropriate delegation privileges.

Am I missing something?

UPDATE:

I was successfully able to get the SQL Server to use "Kerberos" as per the above query, but I'm still having no luck getting the IIS level to work.

Answer 1

This is known as the "double hop" issue between SQL Server and IIS. It looks like you may not have trusted the IIS server for delegation.

Here's a good checklist of things to do when setting up SQL Server with IIS using Kerberos.

Here's a great primer on the condition. The anonymous login is a give-away of the problem.