[使用Krb5LoginModule的SQL Server JDBC在服务器db上失败，出现“用户'NT AUTHORITY \ ANONYMOUS LOGON'登录失败”错误]]

我在使用带有kerberos身份验证和Krb5LoginModule（不是sqljdbc_auth.dll的jdbc连接到SQL Server时遇到问题。

在连接客户端票证期间成功生成票证，但是在服务器数据库上存在一个问题“用户'NT AUTHORITY \ ANONYMOUS LOGON'的登录失败。原因：基于令牌的服务器访问验证失败，出现基础结构错误。请检查先前的错误。 [客户：客户端IP地址]”。先前的错误是：

登录错误：18456，严重性：14，状态：11。

跟踪是

окт 11, 2019 1:22:13 PM com.microsoft.sqlserver.jdbc.KerbAuthentication intAuthHandShake
FINER: com.microsoft.sqlserver.jdbc.KerbAuthentication@cc285f4 Sending token to server over secure context
Entered Krb5Context.initSecContext with state=STATE_IN_PROCESS
> > > EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting peerSeqNumber to: 1016566382
окт 11, 2019 1:22:13 PM com.microsoft.sqlserver.jdbc.KerbAuthentication intAuthHandShake
FINER: com.microsoft.sqlserver.jdbc.KerbAuthentication@cc285f4Authentication done.
окт 11, 2019 1:22:13 PM com.microsoft.sqlserver.jdbc.TDSParser parse
FINEST: TDSReader@2 (ConnectionID:1 ClientConnectionId: 31bfd60f-782e-4302-ba13-f0cae1e93d25): logon: Processing EOF
окт 11, 2019 1:22:13 PM com.microsoft.sqlserver.jdbc.TDSCommand startRequest
FINEST: TDSCommand@cb5822 (logon): starting request...
окт 11, 2019 1:22:13 PM com.microsoft.sqlserver.jdbc.TDSWriter writeBytes
FINEST: TDSWriter@30dae81 (ConnectionID:1) Writing 8 bytes
окт 11, 2019 1:22:13 PM com.microsoft.sqlserver.jdbc.TDSCommand onRequestComplete
FINEST: TDSCommand@cb5822 (logon): request complete
окт 11, 2019 1:22:13 PM com.microsoft.sqlserver.jdbc.TDSChannel logPacket
FINEST: /10.0.0.135:54148 SPID:54 TDSReader@2 (ConnectionID:1 ClientConnectionId: 31bfd60f-782e-4302-ba13-f0cae1e93d25) received Packet:2 (166 bytes)
04 01 00 AE 00 36 01 00 AA 96 00 18 48 00 00 01   .....6......H...
0E 35 00 4C 00 6F 00 67 00 69 00 6E 00 20 00 66   .5.L.o.g.i.n. .f
00 61 00 69 00 6C 00 65 00 64 00 20 00 66 00 6F   .a.i.l.e.d. .f.o
00 72 00 20 00 75 00 73 00 65 00 72 00 20 00 27   .r. .u.s.e.r. .'
00 4E 00 54 00 20 00 41 00 55 00 54 00 48 00 4F   .N.T. .A.U.T.H.O
00 52 00 49 00 54 00 59 00 5C 00 41 00 4E 00 4F   .R.I.T.Y.\.A.N.O
00 4E 00 59 00 4D 00 4F 00 55 00 53 00 20 00 4C   .N.Y.M.O.U.S. .L
00 4F 00 47 00 4F 00 4E 00 27 00 2E 00 0F 57 00   .O.G.O.N.'....W.
49 00 4E 00 2D 00 30 00 4B 00 4C 00 59 00 48 00   I.N.-.0.K.L.Y.H.
39 00 59 00 47 00 35 00 4E 00 36 00 00 01 00 00   9.Y.G.5.N.6.....
00 FD 02 00 00 00 00 00 00 00 00 00 00 00         ..............
окт 11, 2019 1:22:13 PM com.microsoft.sqlserver.jdbc.TDSCommand onResponseEOM
FINEST: TDSCommand@cb5822 (logon): disabling interrupts
окт 11, 2019 1:22:13 PM com.microsoft.sqlserver.jdbc.TDSReader nextPacket
FINEST: TDSReader@2 (ConnectionID:1 ClientConnectionId: 31bfd60f-782e-4302-ba13-f0cae1e93d25) Moving to next packet -- unlinking consumed packet
окт 11, 2019 1:22:13 PM com.microsoft.sqlserver.jdbc.TDSParser parse
FINEST: TDSReader@2 (ConnectionID:1 ClientConnectionId: 31bfd60f-782e-4302-ba13-f0cae1e93d25): logon: Processing TDS_ERR (0xAA)
окт 11, 2019 1:22:13 PM com.microsoft.sqlserver.jdbc.TDSReader readBytes
FINEST: TDSReader@2 (ConnectionID:1 ClientConnectionId: 31bfd60f-782e-4302-ba13-f0cae1e93d25) Reading 106 bytes from offset 11
окт 11, 2019 1:22:13 PM com.microsoft.sqlserver.jdbc.TDSReader readBytes
FINEST: TDSReader@2 (ConnectionID:1 ClientConnectionId: 31bfd60f-782e-4302-ba13-f0cae1e93d25) Reading 30 bytes from offset 118
окт 11, 2019 1:22:13 PM com.microsoft.sqlserver.jdbc.TDSParser parse
FINEST: TDSReader@2 (ConnectionID:1 ClientConnectionId: 31bfd60f-782e-4302-ba13-f0cae1e93d25): logon: Processing TDS_DONE (0xFD)
окт 11, 2019 1:22:13 PM com.microsoft.sqlserver.jdbc.TDSParser parse
FINEST: TDSReader@2 (ConnectionID:1 ClientConnectionId: 31bfd60f-782e-4302-ba13-f0cae1e93d25): logon: Processing EOF
окт 11, 2019 1:22:13 PM com.microsoft.sqlserver.jdbc.SQLServerException logException
FINE: *** SQLException: com.microsoft.sqlserver.jdbc.SQLServerException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. ClientConnectionId:31bfd60f-782e-4302-ba13-f0cae1e93d25 Msg 18456, Level 14, State 1, Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. ClientConnectionId:31bfd60f-782e-4302-ba13-f0cae1e93d25
окт 11, 2019 1:22:13 PM com.microsoft.sqlserver.jdbc.SQLServerConnection:1 close
SQL Server使用自动生成的SPN MSSQLSvc / ...，并且该服务作为网络服务登录：

连接代码为

String url = "jdbc:sqlserver://win-0klyh9yg5n6.spi.new:1433;databaseName=master;integratedSecurity=true;authenticationScheme=JavaKerberos";
System.setProperty("java.security.krb5.conf", "c:\\temp\\test\\krb5.conf");
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("java.security.auth.login.config", "c:\\temp\\test\\SQLJDBCDriver.config");
try (Connection cn = DriverManager.getConnection(url)) {
    System.out.printf("ok\n");
}
krb5.conf和SQLJDBCDriver.config在后面，但是它们似乎很好，因为我可以毫无问题地为SPN MSSQLSvc / WIN-0KLYH9YG5N6.SPI.NEW：1433生成令牌。

krb5.conf：

[libdefaults]
noaddresses = true
default_realm = SPI.NEW
default_tgs_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
default_tkt_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
passwd_check_s_address = false
udp_preference_limit = 1
ccache_type = 3
kdc_timesync = 0

[domain_realm]
.SPI.NEW = SPI.NEW

[realms]
SPI.NEW = {
  kdc = SPIDC2
  admin_server = SPIDC2.SPI.NEW
  default_domain = SPI.NEW
}
SQLJDBCDriver.config是

SQLJDBCDriver {
   com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true doNotPrompt=true;
};
我还可以使用sqljdbc_auth.dll（authenticationScheme = Native）连接到SQL Server，并检查我是否通过kerberos连接（工作正常）。

// authenticationScheme=NativeAuthentication by default
String url = "jdbc:sqlserver://win-0klyh9yg5n6.spi.new:1433;integratedSecurity=true;";
try (Connection cn = DriverManager.getConnection(url)) {
    try (Statement st = cn.createStatement()) {
        st.execute("select auth_scheme from sys.dm_exec_connections where session_id=@@spid");
        try (ResultSet rs = st.getResultSet()) {
            while (rs.next()) {
                Object val = rs.getObject(1);
                System.out.printf("%s\n", val); // --> result is KERBEROS
            }
        }
    }
}
db：SQL Server 2008 R2，操作系统：Windows Server 2008 SP2

您能帮我理解为什么当收到来自具体域用户的票证时，SQL Server为何会为匿名用户登录失败吗？

谢谢。

我在使用带有kerberos身份验证和Krb5LoginModule（不是sqljdbc_auth.dll）的jdbc连接到SQL Server时遇到问题。在连接期间，客户端票证成功生成了票证...