Token from SSPI is ANONYMOUS LOGON after kerberos logon
From: Joseph Galbraith (galb_at_vandyke.com)
Date: Wed, 15 Oct 2003 11:57:34 -0600
I have a server application that can use SSPI to
authenticate users using Kerberos.
After the SSPI exchange completes, I call
QuerySecurityContextToken() to get a token
I can use to start processes [via
This all works great in most situations; however,
at one customer site, for one particular user, the
TokenUser SID in the token is ANONYMOUS LOGON. This
causes our server to fail the login (and rightly
When I do QueryContextAttributes(SECPKG_ATTR_NAMES)
I get back the users username, i.e.,
mydomain.com\username, so the context is for the
The client in this case is running on a unix workstation
that is using the Active Directory controller as
it's KDC. The user has run kinit, and a klist shows
them as having a ticket for firstname.lastname@example.org.
Does anyone have any clue why the token is being
returned for ANONYMOUS LOGON user instead of for
the real user?
I'm scratching my head trying to figure where to
even look for a possible cause.