Feature request: Kerberos only authentication

[Gostev]

So what are you doing about it? Veeam clearly has much better contacts with Microsoft than most of us do, has Veeam actually raised this with them? Or are you expecting them to magically fix it if they are unaware of the issues you are having? If your devs have found it unreliable, surely they have lots of details of where it hasn't worked for them that they can pass on.

Clearly you're writing this under an assumption that Microsoft actually cares about Hyper-V these days, so they take feedback and address it promptly - just like they did 10 years ago, when we even helped them design Hyper-V CBT. But this simply has not been the case in the past few years.

The reality is that these days, we can't get much attention or meaningful actions from Microsoft even on much more pressing Hyper-V issues which result in immediate and severe customer impact. I think the real reason is there are little to no developers on Hyper-V for a few years now... in fact, even the most awesome Program Manager that has been on Hyper-V since inception for 2 decades (since he comes from the company that Microsoft acquired back in 2003 to get the actual technology) was moved to some other project. So all signs point to the end of Hyper-V era.

Nothing unexpected though: it was clear years ago when Azure became the top and only priority for Microsoft that all legacy on-prem technologies will likely be left to die in "maintenance-only" mode. I said many times including here that this is what will likely happen next. This tactical move was quite logical to expect as investing in improving on-prem tech means both direct impact to Azure adoption and also less developers available for enhancing Azure technologies.

As for Kerberos support, our devs have implemented it with what I believe is a combination of tools available in Hyper-V today (like KVP) and we will decide whether the result is good enough for production use based on the results of testing in the next few months. This is best we can do in the current realities.

[JPMS]

Thanks for the reply Gostev, it certainly helps clarify the situation.

Bit depressing to read your take on the future of on-premises technologies. Cloud services are not for everybody, for a variety of reasons, and I do wonder if Microsoft are making a mistake trying to force people solely down that path. Time will tell. Maybe it's time to start developing some skill in VMware...

[Gostev]

Personally I actually agree with you, and I too always thought they took a wrong path there with Hyper-V. Because I strongly believe the future is a hybrid cloud, which in turn requires a strong on-prem offering as much as a strong cloud offering to win the customer.

In fact, they may have started to realize the same some time ago, as I can see a ray of hope in the form of their new Azure Stack HCI effort. But unfortunately it's likely NOT a ray of hope for "general purpose" Hyper-V itself I think, even if the fist version of HCI is nothing but regular Hyper-V on S2D... they just needed to start somewhere. What I mean is that going forward, I can see them spending all of their efforts on polishing this one specific deployment scenario, as opposed to keep improving Hyper-V as a general purpose, storage-agnostic hypervisor.

[billcouper]

PetitPotam is forcing our hand in this. We MUST disable NTLM on our network, but now we cannot backup in the "best practice" method of using app-aware processing. Please escalate the priority of getting Kerberos-only authentication working in Hyper-V environments!

Edit: I would be willing to test experimental kerberos-only hyper-v app-aware processing. Case # 04940126

[trackstar]

So we currently have only one Veeam server in our environment (VB & R v10) which backups vCenter. Does Kerberos alone work now? We want to disable NTLM v1. We are told NTLM v2 is allowed if that is the only option.

[Gostev]

While Kerberos alone won't work, NTLM v2 will.

[Gostev]

Bill, please note that PetitPotam can be blocked without disabling NTLM using a simple netsh filter. At this time, disabling NTLM to block PetitPotam would be similar to curing a headache with a guillotine, because many apps are simply not ready for Kerberos-only. Although there's no doubt this is where every environment wants to be eventually.

[trackstar]

While Kerberos alone won't work, NTLM v2 will.

Gostev,

Any guidelines as to using NTLM v2 & Kerberos and getting rid of NTLM v1 on the Veeam server itself? Is it just a matter of making a registry change and rebooting? We are on Veeam v10. As of today our environment still accepts NTLM v1 but we want to make sure there are no surprises when it is turned off.

Thanks,
TT

[JPMS]

We have NTLMv1 turned off on our entire network through a group policy without any issues. Your mileage may vary but you shouldn't have an issue with Veeam.

[trackstar]

Since we are not locking (NTLM v1) at the GPO yet, I would like to disable at the Veeam server. So I am assuming a registry change and a reboot is all I need?

[VCFP]

As for Kerberos support, our devs have implemented it with what I believe is a combination of tools available in Hyper-V today (like KVP) and we will decide whether the result is good enough for production use based on the results of testing in the next few months. This is best we can do in the current realities.

As many here we also took a look at NTLMv2/Kerberos again (after we abandoned that a few years ago as not yet possible at the time).
I was quite disappointed that a modern backup solution like Veeam still relies on NTLMv2. Reading through this thread I agree with colleagues
that Veeam should implement a workaround if KVP is not reliable enough.
Why not make it possible to configure each VM and server in the Veeam configuration with an additional FQDN-attribute?
Together with corresponding Powershell cmdlets in VBR it should be possible to keep those attributes synchronized and up-to-date.

[EcoboostPerformance]

I would love for this to be a feature, with a higher priority. As my security team wants to complely disable NTLM.

[JPMS]

As for Kerberos support, our devs have implemented it with what I believe is a combination of tools available in Hyper-V today (like KVP) and we will decide whether the result is good enough for production use based on the results of testing in the next few months. This is best we can do in the current realities.

Is there any update on this? The only thing that now stops us from disabling NTLMv2 is our Veeam backups.

[JPMS]

Bump! It would be very useful to know what the current status of this is.

[Mildur]

Kerberos only will be supported in V12 for all VBR components and backup tasks.

Thanks
Fabian

[JPMS]

That's great news. Thanks for the update Fabian

[benthomas]

Kerberos only will be supported in V12 for all VBR components and backup tasks.

Thanks
Fabian

WOOOHOOO this is awesome news!