Sometimes when trying to access a linked server, you’d get an error saying “Login failed for user NT AUTHORITY\ANONYMOUS LOGON”.
This happens because you’re connected using Windows authentication, and SQL Server fails to “forward” your credentials to the linked server.
To check if SQL is using Kerberos:
USE [master]
GO
SELECT s.session_id, s.original_login_name, c.net_transport, c.auth_scheme, c.local_net_address, c.local_tcp_port, s.program_name
FROM sys.dm_exec_sessions s
LEFT OUTER JOIN sys.dm_exec_connections c on s.session_id = c.session_id
WHERE s.is_user_process = 1
To determine the authentication method of a connection, execute the following query:
SELECT net_transport, auth_scheme
FROM sys.dm_exec_connections
WHERE session_id = @@SPID;
Validating Authentication Properties Used by Connections
USE [master]
GO
SELECT COUNT(auth_scheme) as sessions_count, net_transport, auth_scheme
FROM sys.dm_exec_connections
GROUP BY net_transport, auth_scheme
To resolve this:
- Both SQL Servers and the Client must be in the same Domain
- Both SQL Servers must be able to register SPNs (Service Principal names)