I have an ASP.NET web forms site running on an IIS server that is accessing a SQL Server database on another server. The site is working properly for all existing users, but when we tried to give one user access to the site, he is receiving the:
SqlException (0x80131904): Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
error when the site attempts to connect to the SQL server.
The site is using Windows Authentication and Impersonation. I gave read and write permissions to the new user on the SQL database. All users as well as the IIS and SQL servers are all on the same domain. When the new user attempts to access the site, he is able to see the site, and the site lists his windows username (i.e. "Hello JohnS!") so it appears his windows credentials are getting passed to the IIS server properly. When he navigates to the home page of the site, it loads, but he gets a popup stating the above error. If he then clicks "Ok" and navigates to another page that has a grid with data from the database, he then gets the yellow:
Server Error in '/WebSite' Application
error message with more details including a stacktrace. The stacktrace just indicates it is an error when attempting to retrieve data from the SQL server. This user is able to connect to the SQL database from his computer using SSMS.
The site works properly for all other users, so I do not think there is an issue with the configuration of the site, maybe something in the config for his specific AD account. I started researching "double hop" and kerberos authentication issues, but if either of these were the issue, wouldn't this affect all users, not just one? I'm at a loss for what to try next.
EDIT: I have involved our Domain Administrator now. He has started digging into this and has discovered something even weirder. He (the Domain Admin) is able to connect to the site without errors using his account on a windows 10 machine. Using the same account on a windows 11 machine, he gets the same error message above. I know the issue is not related to the windows 11 operating system because I do not get the error on my windows 11 machine. The Domain Admin seems to think the issue is related to Kerberos vs NTLM, and is investigating this further.
It turns out it was a "double hop" issue and Windows Credential Guard on the user's computer was blocking the second hop. Credential Guard is enabled by default on some new windows 11 installations. This explains why the Domain Admin was getting the error on his windows 11 machine. When we disabled Credential Guard on the problematic user's computer, everything worked as expected.