Event ID 6033 is logged in the system even log on Query Engine machine
The error is caused when you try to connect to the instance of SQL Server as an anonymous user, the anonymous connection tries to open the LSA Policy handle on the computer that is running the instance of SQL Server. By default, a Windows Server 2003 member server denies an anonymous connection attempt that tries to open an LSA Policy handle if the TurnOffAnonymousBlock registry value is not set to 1. Therefore, your anonymous connection is not successful. Additionally, after SQL Server receives the anonymous connection request, SQL Server calls the LookupAccountSid Windows API function to obtain the account name. Because the function is called in the context of the anonymous connection, the function call also fails if the Network Access: Allow anonymous SID/Name translation security option is not enabled.
Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.
1. To work around this problem, follow these steps on the computer that is running Windows Server 2003 to allow anonymous connections to SQL Server 2000 or to SQL Server 2005: 1. Enable the Network Access: Allow anonymous SID/Name translation security option in Local Security Policy. To do this, follow these steps:
a. Click Start, and then click Control Panel. b. Double-click Administrative Tools, and then double-click Local Security Policy. c. In the left pane, expand Local Policies, and then click Security Options. d. In the right pane, under the Policy column, locate and then double-click Network Access: Allow anonymous SID/Name translation. e. In the Network Access: Allow anonymous SID/Name translation dialog box, click the Enabled option, and then click OK. f. Close the Local Security Settings window. g. Close the Administrative Tools window.
2. Set the TurnOffAnonymousBlock DWORD registry value to 1. To do this, follow these steps.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
a. Click Start, click Run, type regedit, and then click OK. b. In Registry Editor, locate and then click the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key. c. In the right pane, locate and then double-click the TurnOffAnonymousBlock DWORD registry value.
Note: If the TurnOffAnonymousBlock DWORD registry value does not exist, you must create the registry value. d. In the Edit DWORD Value dialog box, type 1 in the Value data box, and then click OK.
Note By default, the Network Access: Allow anonymous SID/Name translation security option is enabled on the computers that act as domain controllers. However, the security option is disabled on workstations and member servers. The domain controllers do not require the TurnOffAnonymousBlock registry key to control the anonymous connection attempts. Therefore, if your instance of SQL Server is installed on a domain controller that is running Windows Server 2003, the anonymous connection attempts to the instance of SQL Server do not fail.