The following error is one that could be commonplace at any time during the last ten years. "SSPI negotiation has failed". "Login failed for user NT AUTHORITY\ANONYMOUS". My service isn't running as an anonymous user. Why isn't it able to connect?

There is a particular bit of behavior for making network requests that differs depending on whether you're using NTLM or Kerberos for authentication. With NTLM, there are some commonly seen circumstances under which you'll end up running as an anonymous user when you may not have expected to. The general issue is that the service principal being used for the outbound call is not correct for what you're trying to do. The specific issue can vary. For example, your service may have impersonated the client caller before trying to make an outbound connection. If you don't have explicit credentials to use for the service and you don't have permission to delegate the client credentials, then you'll have a null user session associated with the call. As another example, your service may be running as a local system account and trying to make an outbound call. NTLM doesn't support using this highly privileged machine account remotely so if you don't have explicit credentials to use for the service, then you will again end up as an anonymous caller.

Next time: Close Your Proxies