After our Jenkins has been running for a while (often quite some time), downloads of e.g. build artifacts via the "Resource Root URL" by the anonymous user (i.e. when you are not logged in) fail with the error message: 

No such user: anonymous

I was able to attach a debugger when this was the case, and this is what I found out:

The code responsible is in ResourceDomainRootAction:

            if (Util.fixEmpty(authenticationName) != null) {
                User user = User.getById(authenticationName, false);
                if (user != null) {
                    try {
                        auth = user.impersonate2();
                        LOGGER.fine(() -> "Successfully impersonated " + authenticationName);
                    } catch (UsernameNotFoundException ex) {
                        LOGGER.log(Level.FINE, "Failed to impersonate " + authenticationName, ex);
                        rsp.sendError(403, "No such user: " + authenticationName);
                        return;
                    }
                }
            }

The problem occurs when User.getById(authenticationName, false) does not return null. This seems to be the case when there is an actual user "anonymous" found by Jenkins. I was able to find out that it is present in User.AllUsers.values() - but I do not know why.

Although Jenkins thinks that it knows of a user called anonymous, of course our LDAP server does not, so user.impersonate2 fails with UsernameNotFoundException.

I think this is a bug in Jenkins, as "anonymous" is treated like an actual username in one case, while it is a magic value in the other.
But I would be fine if somebody could just tell me how to prevent this from happening, i.e. how to find out where Jenkins gets the idea that there is actually a real user called "anonymous".
Maybe it is this guy: