UserLock Frequently Asked Questions
Web Console - "ERROR  (...) Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
When displaying the UserLock Web Console, instead of having data displayed, the following error message appears: ERROR  [Microsoft] [ODBC SQL Server Driver] [SQL Server] Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
This message is displayed because UserLock service connects to the database with Windows authentication, the UserLock SQL Server database is hosted on a different server than the IIS Server hosting the Web Console, and the Delegation is not enabled on the IIS server to authenticate correctly to the database server.
Note: If the account running SQL is of type Managed Service Account, this procedure will not work. The only solution in this case is to change the configuration of the UserLock service to connect to the database using SQL authentication.
Here is the procedure to configure the Delegation.
Open the Windows Services Console on the Database server to identify which account is defined on the SQL Server service.
In our example here the server hosting the SQL Server database is named VES2.VDE.intra and the SQL Server Service is running as "VDE\SQLServerSvc" on the port 1433.
Still on the server hosting the SQL Server database, it's necessary to create a SPN for the SQL Server instance. This can be achieved thanks a command line using this syntax:
Setspn -A MSSQLSvc/[ServerName]:[PORT] [AccountName]
Which corresponds in our example:
Setspn -A MSSQLSvc/VES2.VDE.intra:1433 VDE\SQLServerSvc
Once the SPN is created for the service name, the delegation for the IIS server hosting the UserLock Web console needs to be enabled in Active Directory.
Open the Active Directory Users and Computers management console. Select the IIS server hosting UserLock Web console and display its Properties.
In our example this server is named VES1.
In the Delegation tab, switch the option to "Trust this computer for delegation to specified services only" and adjust the sub option to "Use any authentication protocol". Then click "Add..." to register the SQL Server service.
In the "Add Services" window, click on "Users or Computers..." and enter the name of the SQL Server service for which we have previously defined a SPN. Click on "Check Names" and then "OK".
This new entry will be now listed. Select its corresponding line and click "OK".
Validate by clicking "OK" or "Apply".
The UserLock Web Console should now be able to retrieve all information from the database.