SQL-SQL linked server connections fails after applying latest windows security patches .

Posted by

This post has been republished via RSS; it originally appeared at: SQL Server Support articles.

Symptoms

  • SQL-SQL linked server connections and distributed query execution fails due to an error message NT AUTHORITY\ANONOYMOUS LOGON after installing Windows security patches that are released in March 2019
  • SQL linked server connection initiated from a client application that runs on a different (third server) machine which is different than two SQL Server machines that are part of the linked server or its “double-hop” scenario
  • The SQL Servers Kerberos configuration and delegation settings are as expected and used to work without issues
  • Either intermittent failures or works until the Kerberos ticket life time expires. For e.g. 10 hours.
  • Issue started occurring after applying recent windows security patches that are released in the month of March 2019

 

Cause(s)

https://support.microsoft.com/en-us/help/4489878  - March 12, 2019—KB4489878 (Monthly Rollup) 

 



Resolution

  • Microsoft Windows team is working on releasing a fix and will provide an update in an upcoming release.
  • The following are the workarounds to mitigate the issue scenario
    1. Purge the Kerberos tickets on the application server. The Kerberos tickets need to be purged before the ticket expiration.  One of the ways to automate, setup a scheduled task on the application servers to purge the Kerberos tickets for every few hours are before the Kerberos token expires.
    2. Uninstall KB 4489878
    3. Some customer had to uninstall all the windows security patches that are released in the month of March 2019 from the SQL Server machines and reboot the machines
    4. If issue still happens even after uninstalling the windows security patches, restart the application server or the application that opens SQL-SQL linked server connection. e.g.  Restart the IIS or the application pool that access SQL Server or the application which can be windows service, console or client / server application
    5. For more information please review 4489878

This articles are republished, there may be more discussion at the original link. But if you found this helpful, you're more than welcome to let us know!

This site uses Akismet to reduce spam. Learn how your comment data is processed.