![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 38%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELO%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 10%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
The error Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' between an app server and a remote SQL Server is an authentication/delegation problem, typically involving NTLM vs. Kerberos, SPNs, or loopback protection.
Troubleshooting and fixes depend on the scenario:
- Check for double-hop / delegation issues
When credentials must be delegated across multiple computers (for example: client → app server → SQL Server), Kerberos delegation must be correctly configured. If delegation fails, SQL Server seesNT AUTHORITY\ANONYMOUS LOGON. Actions:- Verify Service Principal Names (SPNs) for the SQL Server service and the app server service accounts.
- Use tools such as SQLCheck and follow these guides to diagnose and fix delegation/SPN issues:
- Ensure accounts used for delegation are not marked as Sensitive account in Active Directory and that constrained delegation targets include the SQL Server SPN if constrained delegation is used.
- Fix SPN problems when no double-hop is involved
If the app server connects directly to SQL Server (no further hop) but SQL Server still logsANONYMOUS LOGON, the Kerberos handshake may be failing and falling back to NTLM due to SPN issues. Actions:- Use SQLCheck or Setspn.exe to verify:
- Required SPNs exist for the SQL Server service.
- No duplicate SPNs exist.
- SPNs are registered on the correct service account.
- Review and correct SPNs as needed.
- Optionally use Kerberos Configuration Manager for SQL Server to help detect and fix SPN-related issues.
- Use SQLCheck or Setspn.exe to verify:
- Address loopback protection issues (same machine or Always On listener)
If the app and SQL Server are on the same machine, or the app connects to an Always On listener from the primary node, loopback protection can cause NTLM-based connections to fail and appear asANONYMOUS LOGON. Actions:- Configure one of the following registry keys on the server (preferred:
BackConnectionHostNames):-
DisableLoopbackCheck -
BackConnectionHostNames
-
- For Always On listeners, add the listener NETBIOS name and FQDN to
BackConnectionHostNameson all nodes in the Availability Group. - See the linked article on loopback protection for exact registry steps and risks.
- Configure one of the following registry keys on the server (preferred:
- Check LANMAN compatibility level / NTLM vs Kerberos
On mixed environments (older pre–Windows Server 2008 and newer servers), LAN Manager compatibility settings can block NTLMv2 or cause mismatches. Actions:- Set LANMAN compatibility level to
5on all computers to disallow NTLMv1 and align authentication. - Prefer switching to Kerberos authentication where possible to avoid LANMAN/NTLM issues.
- Set LANMAN compatibility level to
- Linked server specific case
If the app server is actually SQL Server using a linked server to another SQL Server and you seeANONYMOUS LOGON, the linked server security mapping may be wrong. Actions:- In the linked server’s Security page, avoid Be made without using a security context (this leads to
NT AUTHORITY\ANONYMOUS LOGON). - Use Be made with this security context and supply a valid SQL login, or configure proper Windows authentication/delegation.
- In the linked server’s Security page, avoid Be made without using a security context (this leads to
- Other delegation-related causes
Additional AD and service configuration issues can cause this error:- Sensitive account: If the account is marked as sensitive, it cannot be delegated in double-hop scenarios.
- Not a constrained target: If constrained delegation is enabled but the SQL Server SPN is not listed as an allowed target, Kerberos will fail.
- Per-Service-SID: This can limit local connections to NTLM and prevent further delegation.
In practice, start by identifying the pattern:
- If the error appears only when there is a hop (client → app → SQL), focus on SPNs and Kerberos delegation configuration.
- If it appears on same-machine or Always On listener connections, configure loopback protection (
BackConnectionHostNames). - If it appears only for linked servers, correct the linked server security mapping.
References: