Error in Caching

Aug 21, 2008 at 6:41 AM

 I have followed the setup up guide to setup the Faceted Search 2.5 Beta version and I have enabled the caching in web part. But if we do search and getting error in WFE as :

 

Event Type:        Error

Event Source:    Enterprise Library Logging

Event Category:                None

Event ID:              100

Date:                     8/21/2008

Time:                    10:16:38 AM

User:                     N/A

Computer:          <Computer Name>

Description:

Timestamp: 8/21/2008 4:46:38 AM

Message: HandlingInstanceID: 8324779e-0028-4420-ac2f-8eb7b946d6b4

An exception of type 'System.Data.SqlClient.SqlException' occurred and was caught.

----------------------------------------------------------------------------------

08/21/2008 00:46:38

Type : System.Data.SqlClient.SqlException, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

Message : Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

Source : .Net SqlClient Data Provider.

 

Suggest me , do I change/add extra configuration for caching.

Note: We granted access to  'NT AUTHORITY\ANONYMOUS LOGON' and worked fine. But our expectation is work with windows authentication.

Coordinator
Aug 21, 2008 at 1:35 PM
Edited Aug 21, 2008 at 1:35 PM
Is your application pool running under domain account or netwrok svc? You'll want to have it run under NT domain account.
Aug 25, 2008 at 5:52 AM
Edited Aug 26, 2008 at 4:08 AM

Application pool is running under NT domain account. And also granted MOSS web app pool account a datawriter access to the Caching database.But no luck.

Aug 25, 2008 at 3:02 PM
I also am having issues with caching.   In my development environment the application pool is running under a service account, not network service.  When I run the search, it works fine when I access the results page when logged into Sharepoint with an account which is the DB Owner (which is also the same as the service account) -- but it seems that when I run as my account, I get errors in the System Event Application Log that it is getting authentication errors because it is accessing the SQL Server database as my  account, not the Service account.   The SQL Server is on the same machine as the Sharepoint installation, and is full SQL Server, not Express.

Is this a problem with the configuration of the database, or the caching configuration?  Should the databases be accessed as the service account, or as I am seeing, as the logged on Sharepoint user.  If it is the latter, would we have to grant datawriter privilege to NT Authority\Authenicated users?
Thank
Coordinator
Aug 25, 2008 at 6:42 PM

Can you confirm when the Search Facets WP caching is disabled (in the WP properties) the search works and there is no error in the log. That will help to narrow down the source of the problem.

Aug 26, 2008 at 4:17 AM

I have disabled the Caching in WP and searched for a word , search works fine and no errors in event log.

Aug 26, 2008 at 9:28 AM
Edited Aug 26, 2008 at 9:30 AM
I'm having the same issue: caching works when I'm logged in with the dbo or application pool account but not with other users: sqlerror "failed to login with ..".

I had a look in the code (SearchProcessor.cs): maybe all calls to the EntLib.Caching.CacheManager should be impersonated with the application pool account? 

Regards
Developer
Aug 26, 2008 at 7:06 PM

Hi Thomek,

In order to futher narrow down the problem, please could you provide some extra details about your configuration.

What is your physical topology?  (e.g. 1 db server, 1 SharePoint app server or... ?)

What authentication mechanism are you using on your web application where you have deployed Faceted Search?  e.g. Windows (NTLM or Kerberos), Forms, SSO etc...

Which users are granted permissions on your Caching db and what permissions/roles are set for these users?

Can you add another user to the Caching db (dbo privs) and confirm you can successfully execute a search with Caching enabled in the WP?

When a login fails, can you provide a SQL trace such that we can observe exactly which user authentication is failing for?  Basically, are the users that fail to login those which have no privileges on your Caching DB?

Thanks,

 

Shaun

Aug 27, 2008 at 9:33 AM
Edited Aug 27, 2008 at 9:34 AM
Hi Shaun,

Our topology is a single box with SQL Server 2005 and MOSS 2007 which is using NTLM authentication.
The sharepoint content access account (farm administrator) has dbo access on the caching database and the application pool account has datawriter access.

Indeed, users that fail to login are those which have no privileges on the caching database. So I gave a contributor datawriter access and from that moment no more sql access denied errors are logged for that user. However the facet search webpart always indicates "not cached". The same test query with the application pool account does use caching when the search is repeated.
I didn't do a sql trace yet, let me know if it's still needed.

Thanks
thomek
Developer
Aug 27, 2008 at 9:38 AM
Edited Aug 27, 2008 at 9:42 AM
Thomek,

Thanks for your reply - can you provide SQL logs and profiler trace for the Contributor user and the application pool account accesses?

Thanks,

Shaun
Sep 2, 2008 at 1:16 PM
Edited Sep 2, 2008 at 1:17 PM

Dear Shaun,

SQL logs :

Event Type: Failure Audit
Event Source: MSSQLSERVER
Event Category: Logon
Event ID: 18456
Date:  8/26/2008
Time:  4:31:05 AM
User:  NT AUTHORITY\ANONYMOUS LOGON
Computer: <Computer Name>
Description:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Sep 2, 2008 at 8:44 PM
I was able to get it to work by allowing Read, Write permission for the database and Execute permission for the Stored Procedures for NT Authority\Anonymous LOGON.  Is this the way that the EntLib caching database is supposed to be configured?  
Developer
Sep 3, 2008 at 7:12 AM

Andamuthu,

Which version of SQL Server are you using?  Is it 2005 or 2008?  If it's 2008 is it the RTM version?  (e.g. not CTP or RCs)

Thanks,

 

Shaun

Developer
Sep 3, 2008 at 7:28 AM
Stevebowers,

Granting access to NT AUTHORITY\ANONYMOUS LOGON isn't desirable.

Please could you try trusting the application pool identity account for delegation - edit the User Profile in Active Directory and enable "Account is trusted for delegation" under the Account tab for the user and try again.  Obviously you'll need to remove all privileges for NT AUTHORITY\ANONYMOUS LOGON to ensure that it's actually working.  Also, can you confirm that you're running NTLM authentication on the web application?

Thanks,

Shaun
Sep 4, 2008 at 4:24 AM
Edited Sep 4, 2008 at 4:27 AM
Shaun,

Am using the RTM version of SQL 2008. 

Thanks,
Andamuthu K
Developer
Sep 8, 2008 at 12:29 PM
Edited Sep 8, 2008 at 6:28 PM
Andamuthu,

The only thing that I can think of at the moment is that there's some issue with either security account mappings/delegation and/or some kind of double hop issue.  Also, in your SQL/Event log where the below error is reported:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors.


Are there any other security/validation errors in the Event Log (Security/Application/System) for around the same time?

Also, you may try granting access to the machine account (DOMAIN\MACHINE$) on the SQL Server box as by default, this user isn't added by default in SQL 2008 I don't think which may be the source of the delegation/account mapping privelege problems.

Can you try the above and please report back progress and problems?

Many thanks,

Shaun O'Callaghan
Sep 25, 2008 at 4:40 PM
Has anyone found a solution for this besides turning off caching?  I'm experiencing the Login failed for Anonymous Logon as well and our web application is running with kerberos authentication using a domain account.
Developer
Sep 26, 2008 at 10:03 PM
Hi,

Please see previous comments on this thread regarding:

  • Database server version?  2005 or 2008?  Is it CTP/Beta or RTM?
  • Does domain\computername$ have db access?
  • What is your physical configuration and MOSS topology?
  • What authentication mechanisms are you using on the web application were Faceted Search is deployed?
etc

Please see previous progress and report back a description of your environment.

Thanks,

Shaun O'Callaghan
Oct 15, 2008 at 5:19 PM
Hi.

Had the same issue with SQL2008 RTM enterprise and Login failed for user '<domain>\<user>'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors.

I then tried to start the SQL Server browser service once (I chose not to activate it during installation). Then login in worked. Stopping it has no negative effect .
So it seems like that an uninitialized SQL Server browser service, has some crucial effect on integrated authentication. Maybe an MS BUG ??

Hope this helps

Thomas


Oct 15, 2008 at 5:31 PM
Hi.

Ignore the my previous post. Seems like the problem has returned.
Have no idea why the behavior occurred

Thomas
Oct 28, 2008 at 3:14 PM
I'm inclined to think that this is Kerberos related. I have 2 setups and apart from the platform differences they're almost identical in terms of accounts and SPNs etc. :

- MOSS 2007 running on Windows 2008, SQL Server 2005 on Windows 2008 backend - "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'" error on SQL backend
- MOSS 2007 running on Windows 2003, SQL Server 2005 on Windows 2003 backend - everything works just fine.

Kerberos and MOSS are somewhat busted in Windows 2008 - if you don't specifically uncheck the "Enable Kernel Mode Authentication" under the IIS7 security settings for the MOSS site you wish to enable Kerberos authentication on, Kerberos authentication won't work. The SQL error above is typically what you would expect if you hadn't enabled delegation on the user account the application pool is running under. So in this case it's not that the user account being passed to SQL isn't the right one... the user account isn't being passed at all, it would appear.

Hopefully this might be able to point someone in the right direction for a fix.

Pete
Oct 28, 2008 at 3:14 PM
I'm inclined to think that this is Kerberos related. I have 2 setups and apart from the platform differences they're almost identical in terms of accounts and SPNs etc. :

- MOSS 2007 running on Windows 2008, SQL Server 2005 on Windows 2008 backend - "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'" error on SQL backend
- MOSS 2007 running on Windows 2003, SQL Server 2005 on Windows 2003 backend - everything works just fine.

Kerberos and MOSS are somewhat busted in Windows 2008 - if you don't specifically uncheck the "Enable Kernel Mode Authentication" under the IIS7 security settings for the MOSS site you wish to enable Kerberos authentication on, Kerberos authentication won't work. The SQL error above is typically what you would expect if you hadn't enabled delegation on the user account the application pool is running under. So in this case it's not that the user account being passed to SQL isn't the right one... the user account isn't being passed at all, it would appear.

Hopefully this might be able to point someone in the right direction for a fix.

Pete
Nov 11, 2008 at 4:04 PM
Solved !!!

I added an SPN for the SQL server service account, enabled delegation and everything works. Curiously though this step hasn't been done on the MOSS on Win2K3 setup, but that works fine. Either way it's resolved the issue.
Coordinator
Nov 11, 2008 at 4:49 PM
Thanks for sharing your solition!
Nov 14, 2008 at 4:21 PM

One more problem… everytime the faceted search runs it’s logging an authentication error in the application event log of the MOSS server. The search however still works. This is consistent with the application trying NTLM, failing, then falling back to Kerberos. Is that the case ?

Either way, is there any way to tell the app to just use Kerberos by default (if that’s not the case) or at least turn off the error logging ?

Thanks


Pete

Mar 10, 2009 at 4:32 PM
I have ran into the same problem described in this thread.  I have gone through the setup as described in the guide.  I have tested the Enterprise Caching Library 3.1 connection using the utility and selected the web.config file and everything looks good. Both my SQL 2005 sp2 server and MOSS 2007 sp1 are running on Win Server 08 64-bit OS.

I have deactivated the caching on all facet web parts in order to get the error messages to stop on the SharePoint server and the SQL backend server.  I did go throught the process of setting up the SQL Server as described above for Kerberos correctly in AD and for specific SQL Service Account.  However my frontend SharePoint servers are not setup for Kerberos. 

I verified the SQL Service Account is using Kerberos with provided SQL Statement from: http://blogs.msdn.com/james_world/archive/2007/08/20/essential-guide-to-kerberos-in-sharepoint.aspx
 
SELECT login_name, program_name, host_name, auth_scheme
FROM sys.dm_exec_connections C INNER JOIN sys.dm_exec_sessions S
ON C.session_id  = S.session_id

However, when i activate the caching option on any of the facet web parts, the errors below take place only once, each time a search is conducted.  However, even with the caching activated, it will continue to show the status of "Not cached" 

Questions:
1. I guess what i would like to know is if this still sounds like a Kerberos error problem? 
2. Should i go all out and setup all sharepoint web apps for Kerberos in order to resolve this issue if it is in fact a Kerberos problem?
3. Is it advised to have Kerberos setup as default for the Faceted Search web parts?


SQL Backend Server Error Message:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. [CLIENT: THEIPADDRESS]

SharePoint Server Error Message:

Timestamp: 3/10/2009 3:31:31 PM
Message: HandlingInstanceID: 2b4940d2-44da-4a6b-a3d8-b1a5f3d9d498
An exception of type 'System.Data.SqlClient.SqlException' occurred and was caught.
----------------------------------------------------------------------------------
03/10/2009 08:31:31
Type : System.Data.SqlClient.SqlException, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Message : Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Source : .Net SqlClient Data Provider
Help link :
Errors : System.Data.SqlClient.SqlErrorCollection
Class : 14
LineNumber : 65536
Number : 18456
Procedure :
Server : MYSQLSERVERHERE
State : 1
ErrorCode : -2146232060
Data : System.Collections.ListDictionaryInternal
TargetSite : Void OnError(System.Data.SqlClient.SqlException, Boolean)
Stack Trace :    at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection)
   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
   at System.Data.SqlClient.SqlInternalConnectionTds.CompleteLogin(Boolean enlistOK)
   at System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(String host, String newPassword, Boolean redirectedUserInstance, SqlConnection owningObject, SqlConnectionString connectionOptions, Int64 timerStart)
   at System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(SqlConnection owningObject, SqlConnectionString connectionOptions, String newPassword, Boolean redirectedUserInstance)
   at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, Object providerInfo, String newPassword, SqlConnection owningObject, Boolean redirectedUserInstance)
   at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection)
   at System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnection owningConnection, DbConnectionPool pool, DbConnectionOptions options)
   at System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject)
   at System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject)
   at System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject)
   at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
   at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)
   at System.Data.SqlClient.SqlConnection.Open()
   at Microsoft.Practices.EnterpriseLibrary.Data.Database.GetNewOpenConnection()
   at Microsoft.Practices.EnterpriseLibrary.Data.Database.GetOpenConnection(Boolean disposeInnerConnection)
   at Microsoft.Practices.EnterpriseLibrary.Data.Database.GetOpenConnection()
   at Microsoft.Practices.EnterpriseLibrary.Data.Database.LoadDataSet(DbCommand command, DataSet dataSet, String[] tableNames)
   at Microsoft.Practices.EnterpriseLibrary.Data.Database.LoadDataSet(DbCommand command, DataSet dataSet, String tableName)
   at Microsoft.Practices.EnterpriseLibrary.Data.Database.ExecuteDataSet(DbCommand command)
   at Microsoft.Practices.EnterpriseLibrary.Caching.Database.DataBackingStore.LoadDataFromStore()
   at Microsoft.Practices.EnterpriseLibrary.Caching.BackingStoreImplementations.BaseBackingStore.Load()
   at Microsoft.Practices.EnterpriseLibrary.Caching.Cache..ctor(IBackingStore backingStore, CacheCapacityScavengingPolicy scavengingPolicy, CachingInstrumentationProvider instrumentationProvider)
   at Microsoft.Practices.EnterpriseLibrary.Caching.CacheManagerFactoryHelper.BuildCacheManager(String cacheManagerName, IBackingStore backingStore, Int32 maximumElementsInCacheBeforeScavenging, Int32 numberToRemoveWhenScavenging, Int32 expirationPollFrequencyInSeconds, CachingInstrumentationProvider instrumentationProvider)
   at Microsoft.Practices.EnterpriseLibrary.Caching.CacheManagerCustomFactory.CreateObject(IBuilderContext context, String name, IConfigurationSource configurationSource, ConfigurationReflectionCache reflectionCache)
   at Microsoft.Practices.EnterpriseLibrary.Common.Configuration.ObjectBuilder.ConfiguredObjectStrategy.BuildUp(IBuilderContext context, Type t, Object existing, String id)
   at Microsoft.Practices.ObjectBuilder.BuilderStrategy.BuildUp(IBuilderContext context, Type typeToBuild, Object existing, String idToBuild)
   at Microsoft.Practices.ObjectBuilder.SingletonStrategy.BuildUp(IBuilderContext context, Type typeToBuild, Object existing, String idToBuild)
   at Microsoft.Practices.ObjectBuilder.BuilderStrategy.BuildUp(IBuilderContext context, Type typeToBuild, Object existing, String idToBuild)
   at Microsoft.Practices.EnterpriseLibrary.Common.Configuration.ObjectBuilder.ConfigurationNameMappingStrategy.BuildUp(IBuilderContext context, Type t, Object existing, String id)
   at Microsoft.Practices.ObjectBuilder.BuilderBase`1.DoBuildUp(IReadWriteLocator locator, Type typeToBuild, String idToBuild, Object existing, PolicyList[] transientPolicies)
   at Microsoft.Practices.ObjectBuilder.BuilderBase`1.BuildUp(IReadWriteLocator locator, Type typeToBuild, String idToBuild, Object existing, PolicyList[] transientPolicies)
   at Microsoft.Practices.ObjectBuilder.BuilderBase`1.BuildUp[TTypeToBuild](IReadWriteLocator locator, String idToBuild, Object existing, PolicyList[] transientPolicies)
   at Microsoft.Practices.EnterpriseLibrary.Common.Configuration.ObjectBuilder.EnterpriseLibraryFactory.BuildUp[T](IReadWriteLocator locator, IConfigurationSource configurationSource)
   at Microsoft.Practices.EnterpriseLibrary.Common.Configuration.ObjectBuilder.LocatorNameTypeFactoryBase`1.CreateDefault()
   at Microsoft.Practices.EnterpriseLibrary.Caching.CacheFactory.GetCacheManager()
   at Microsoft.SharePoint.Portal.ExtendedSearch.WebControls.SearchProcessor.GetCachedData(String selectColumns, Int16 resultsPerPage, Int32 longCacheTimeout, Int32 fastCacheTimeout, Boolean& usingCachedData, Boolean& run2ndTime)

Additional Info:

MachineName : MYSHAREPOINTSERVERHERE
TimeStamp : 3/10/2009 3:31:31 PM
FullName : Microsoft.Practices.EnterpriseLibrary.ExceptionHandling, Version=3.1.0.0, Culture=neutral, PublicKeyToken=a646907c4a695009
AppDomainName : /LM/W3SVC/290456168/ROOT-1-128811484836348177
ThreadIdentity : MYDOMAINHERE\a_user_here
WindowsIdentity : MYDOMAINHERE\a_user_here
Category: General
Priority: 0
EventId: 100
Severity: Error
Title:Enterprise Library Exception Handling
Machine: MYSHAREPOINTSERVERHERE
Application Domain: /LM/W3SVC/290456168/ROOT-1-128811484836348177
Process Id: 4028
Process Name: c:\windows\system32\inetsrv\w3wp.exe
Win32 Thread Id: 4776
Thread Name:
Extended Properties: HelpLink.ProdName - Microsoft SQL Server
HelpLink.EvtSrc - MSSQLServer
HelpLink.EvtID - 18456
HelpLink.BaseHelpUrl - http://go.microsoft.com/fwlink
HelpLink.LinkId - 20476

Mar 21, 2009 at 7:55 PM
I just wanted to verify that this was in fact a Kerberos problem.  I did some monitoring on wfe sharepoint servers and sql servers.  I went through the process of setting up kerberos on the SQL server and SharePoint, took a bit of time to get that working.  However i have a site collection setup on Kerberos and with the faceted search webparts.  Caching is enabled and functioning with no generic 100 enterprise library errors.  Also verified that Kerberos is the preferred security option and is successful.  I also have faceted search webparts setup on our ntlm site collection, and caching is turned off which yields no ent lib 100 erros on web front ends.  Turning it on of couse does cause the errors but the faceted interface still works. 
Coordinator
Mar 21, 2009 at 10:46 PM
Thanks for publishing your solution for this issue. I'm sure many will benefit from your research.