Host-based backup of Microsoft Hyper-V VMs.
Gostev
Chief Product Officer
Posts: 31428
Liked: 6633 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request: Kerberos only authentication

Post by Gostev » 1 person likes this post

JPMS wrote: Aug 02, 2021 8:35 amSo what are you doing about it? Veeam clearly has much better contacts with Microsoft than most of us do, has Veeam actually raised this with them? Or are you expecting them to magically fix it if they are unaware of the issues you are having? If your devs have found it unreliable, surely they have lots of details of where it hasn't worked for them that they can pass on.
Clearly you're writing this under an assumption that Microsoft actually cares about Hyper-V these days, so they take feedback and address it promptly - just like they did 10 years ago, when we even helped them design Hyper-V CBT. But this simply has not been the case in the past few years.

The reality is that these days, we can't get much attention or meaningful actions from Microsoft even on much more pressing Hyper-V issues which result in immediate and severe customer impact. I think the real reason is there are little to no developers on Hyper-V for a few years now... in fact, even the most awesome Program Manager that has been on Hyper-V since inception for 2 decades (since he comes from the company that Microsoft acquired back in 2003 to get the actual technology) was moved to some other project. So all signs point to the end of Hyper-V era.

Nothing unexpected though: it was clear years ago when Azure became the top and only priority for Microsoft that all legacy on-prem technologies will likely be left to die in "maintenance-only" mode. I said many times including here that this is what will likely happen next. This tactical move was quite logical to expect as investing in improving on-prem tech means both direct impact to Azure adoption and also less developers available for enhancing Azure technologies.

As for Kerberos support, our devs have implemented it with what I believe is a combination of tools available in Hyper-V today (like KVP) and we will decide whether the result is good enough for production use based on the results of testing in the next few months. This is best we can do in the current realities.
JPMS
Expert
Posts: 103
Liked: 31 times
Joined: Nov 02, 2019 6:19 pm
Contact:

Re: Feature request: Kerberos only authentication

Post by JPMS »

Thanks for the reply Gostev, it certainly helps clarify the situation.

Bit depressing to read your take on the future of on-premises technologies. Cloud services are not for everybody, for a variety of reasons, and I do wonder if Microsoft are making a mistake trying to force people solely down that path. Time will tell. Maybe it's time to start developing some skill in VMware...
Gostev
Chief Product Officer
Posts: 31428
Liked: 6633 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request: Kerberos only authentication

Post by Gostev » 1 person likes this post

Personally I actually agree with you, and I too always thought they took a wrong path there with Hyper-V. Because I strongly believe the future is a hybrid cloud, which in turn requires a strong on-prem offering as much as a strong cloud offering to win the customer.

In fact, they may have started to realize the same some time ago, as I can see a ray of hope in the form of their new Azure Stack HCI effort. But unfortunately it's likely NOT a ray of hope for "general purpose" Hyper-V itself I think, even if the fist version of HCI is nothing but regular Hyper-V on S2D... they just needed to start somewhere. What I mean is that going forward, I can see them spending all of their efforts on polishing this one specific deployment scenario, as opposed to keep improving Hyper-V as a general purpose, storage-agnostic hypervisor.
billcouper
Service Provider
Posts: 150
Liked: 30 times
Joined: Dec 18, 2017 8:58 am
Full Name: Bill Couper
Contact:

Re: Feature request: Kerberos only authentication

Post by billcouper »

PetitPotam is forcing our hand in this. We MUST disable NTLM on our network, but now we cannot backup in the "best practice" method of using app-aware processing. Please escalate the priority of getting Kerberos-only authentication working in Hyper-V environments!

Edit: I would be willing to test experimental kerberos-only hyper-v app-aware processing. Case # 04940126
trackstar
Expert
Posts: 161
Liked: 4 times
Joined: Mar 11, 2013 9:47 pm
Contact:

Re: Feature request: Kerberos only authentication

Post by trackstar »

So we currently have only one Veeam server in our environment (VB & R v10) which backups vCenter. Does Kerberos alone work now? We want to disable NTLM v1. We are told NTLM v2 is allowed if that is the only option.
Gostev
Chief Product Officer
Posts: 31428
Liked: 6633 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request: Kerberos only authentication

Post by Gostev »

While Kerberos alone won't work, NTLM v2 will.
Gostev
Chief Product Officer
Posts: 31428
Liked: 6633 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request: Kerberos only authentication

Post by Gostev » 1 person likes this post

Bill, please note that PetitPotam can be blocked without disabling NTLM using a simple netsh filter. At this time, disabling NTLM to block PetitPotam would be similar to curing a headache with a guillotine, because many apps are simply not ready for Kerberos-only. Although there's no doubt this is where every environment wants to be eventually.
trackstar
Expert
Posts: 161
Liked: 4 times
Joined: Mar 11, 2013 9:47 pm
Contact:

Re: Feature request: Kerberos only authentication

Post by trackstar »

Gostev wrote: Aug 03, 2021 11:03 am While Kerberos alone won't work, NTLM v2 will.
Gostev,

Any guidelines as to using NTLM v2 & Kerberos and getting rid of NTLM v1 on the Veeam server itself? Is it just a matter of making a registry change and rebooting? We are on Veeam v10. As of today our environment still accepts NTLM v1 but we want to make sure there are no surprises when it is turned off.

Thanks,
TT
JPMS
Expert
Posts: 103
Liked: 31 times
Joined: Nov 02, 2019 6:19 pm
Contact:

Re: Feature request: Kerberos only authentication

Post by JPMS » 1 person likes this post

We have NTLMv1 turned off on our entire network through a group policy without any issues. Your mileage may vary but you shouldn't have an issue with Veeam.
trackstar
Expert
Posts: 161
Liked: 4 times
Joined: Mar 11, 2013 9:47 pm
Contact:

Re: Feature request: Kerberos only authentication

Post by trackstar »

Since we are not locking (NTLM v1) at the GPO yet, I would like to disable at the Veeam server. So I am assuming a registry change and a reboot is all I need?
VCFP
Novice
Posts: 8
Liked: 1 time
Joined: Jul 31, 2020 9:52 am
Contact:

Re: Feature request: Kerberos only authentication

Post by VCFP » 1 person likes this post

Gostev wrote: Aug 02, 2021 11:15 am As for Kerberos support, our devs have implemented it with what I believe is a combination of tools available in Hyper-V today (like KVP) and we will decide whether the result is good enough for production use based on the results of testing in the next few months. This is best we can do in the current realities.
As many here we also took a look at NTLMv2/Kerberos again (after we abandoned that a few years ago as not yet possible at the time).
I was quite disappointed that a modern backup solution like Veeam still relies on NTLMv2. Reading through this thread I agree with colleagues
that Veeam should implement a workaround if KVP is not reliable enough.
Why not make it possible to configure each VM and server in the Veeam configuration with an additional FQDN-attribute?
Together with corresponding Powershell cmdlets in VBR it should be possible to keep those attributes synchronized and up-to-date.
EcoboostPerformance
Enthusiast
Posts: 27
Liked: 2 times
Joined: May 05, 2020 5:50 pm
Full Name: Ryan
Contact:

Re: Feature request: Kerberos only authentication

Post by EcoboostPerformance »

I would love for this to be a feature, with a higher priority. As my security team wants to complely disable NTLM.
JPMS
Expert
Posts: 103
Liked: 31 times
Joined: Nov 02, 2019 6:19 pm
Contact:

Re: Feature request: Kerberos only authentication

Post by JPMS »

Gostev wrote: Aug 02, 2021 11:15 am As for Kerberos support, our devs have implemented it with what I believe is a combination of tools available in Hyper-V today (like KVP) and we will decide whether the result is good enough for production use based on the results of testing in the next few months. This is best we can do in the current realities.
Is there any update on this? The only thing that now stops us from disabling NTLMv2 is our Veeam backups.
JPMS
Expert
Posts: 103
Liked: 31 times
Joined: Nov 02, 2019 6:19 pm
Contact:

Re: Feature request: Kerberos only authentication

Post by JPMS » 1 person likes this post

Bump! It would be very useful to know what the current status of this is.
Mildur
Product Manager
Posts: 8481
Liked: 2203 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Feature request: Kerberos only authentication

Post by Mildur » 2 people like this post

Kerberos only will be supported in V12 for all VBR components and backup tasks.

Thanks
Fabian
Product Management Analyst @ Veeam Software
JPMS
Expert
Posts: 103
Liked: 31 times
Joined: Nov 02, 2019 6:19 pm
Contact:

Re: Feature request: Kerberos only authentication

Post by JPMS »

That's great news. Thanks for the update Fabian
benthomas
Veeam Vanguard
Posts: 39
Liked: 11 times
Joined: Apr 22, 2013 2:29 am
Full Name: Ben Thomas
Location: New Zealand
Contact:

Re: Feature request: Kerberos only authentication

Post by benthomas »

Mildur wrote: Oct 11, 2022 10:49 am Kerberos only will be supported in V12 for all VBR components and backup tasks.

Thanks
Fabian
WOOOHOOO this is awesome news!
Ben Thomas | Solutions Advisor | Veeam Vanguard 2023 | VMCE2022 | Microsoft MVP 2018-2023 | BCThomas.com
Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests