Discussions specific to the Microsoft Hyper-V hypervisor
Post Reply
shayani
Lurker
Posts: 2
Liked: never
Joined: Apr 09, 2018 8:35 am
Full Name: Shayani
Contact:

Feature request: Kerberos only authentication

Post by shayani »

I have discussed with Veeam support and apparently there is no way to use only Kerberos authentication with Veeam. Therefore, if you're planning to have a NTLM free environment, Veeam would be out of the equation. The following services do not seem to work in Kerberos:
  • 1) File indexing
    2) File restoration
I'm starting this thread to request for the feature to be in the next release of Veeam B&R. It is high time for Veeam to catch up with the latest Enterprise security standards.

Vitaliy S.
Product Manager
Posts: 24030
Liked: 1794 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Feature request: Kerberos only authentication

Post by Vitaliy S. » 1 person likes this post

Hello Shayani,

This functionality is in our high priority feature list. Based on your scenario you would need to have this type of authentication available for guest processing services (application aware processing), right?

Thank you for the FR.

shayani
Lurker
Posts: 2
Liked: never
Joined: Apr 09, 2018 8:35 am
Full Name: Shayani
Contact:

Re: Feature request: Kerberos only authentication

Post by shayani »

Yes. Thanks for your reply. And please post any updates.

dsegel
Influencer
Posts: 18
Liked: never
Joined: Aug 09, 2017 3:51 pm
Full Name: Daniel Segel
Contact:

Re: Feature request: Kerberos only authentication

Post by dsegel »

Any updates on if/when NTLM will be going away as a requirement in Veeam? My security admin is pushing to disable it everywhere.

We're running Hyper-V if it matters.

Gostev
SVP, Product Management
Posts: 26336
Liked: 4107 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request: Kerberos only authentication

Post by Gostev »

Support for Kerberos-only authentication for guest connections was added in Update 4, see What's New for more details.

dsegel
Influencer
Posts: 18
Liked: never
Joined: Aug 09, 2017 3:51 pm
Full Name: Daniel Segel
Contact:

Re: Feature request: Kerberos only authentication

Post by dsegel »

Unless I'm reading it wrong, it says that's for vSphere only. As I said, we're running Hyper-V.

Gostev
SVP, Product Management
Posts: 26336
Liked: 4107 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request: Kerberos only authentication

Post by Gostev »

Ah, sorry. Moved to the correct forum and asked for clarification why it says vSphere only, since guest processing is not hypervisor-specific logic AFAIK.

Gostev
SVP, Product Management
Posts: 26336
Liked: 4107 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request: Kerberos only authentication

Post by Gostev » 1 person likes this post

Checked with the devs and apparently unlike VMware, Hyper-V does not return FQDN of the guest - while Kerberos authentication is impossible without FQDN.

dsegel
Influencer
Posts: 18
Liked: never
Joined: Aug 09, 2017 3:51 pm
Full Name: Daniel Segel
Contact:

Re: Feature request: Kerberos only authentication

Post by dsegel »

Yup, I just discovered this myself when all the backups on our test system failed last night.

Veeam can't even connect to the host server, nevermind the guest VMs.

Any ideas for workarounds or other possibilities for ditching NTLM for Hyper-V in the future?

Thanks.

hke
Lurker
Posts: 2
Liked: never
Joined: Oct 08, 2019 11:48 am
Contact:

Re: Feature request: Kerberos only authentication

Post by hke »

There's a similar issue with the console. Administrators in the Windows Protected Users group (which makes users Kerberos-only) can't connect.

veeam-backup-replication-f2/ad-protecte ... 56276.html

benthomas
Service Provider
Posts: 22
Liked: 3 times
Joined: Apr 22, 2013 2:29 am
Full Name: Ben Thomas
Location: New Zealand
Contact:

Re: Feature request: Kerberos only authentication

Post by benthomas »

Gostev wrote:
Apr 17, 2019 4:02 pm
Checked with the devs and apparently unlike VMware, Hyper-V does not return FQDN of the guest - while Kerberos authentication is impossible without FQDN.
I'm sorry @Gostev but Hyper-V guests do return their FQDNs....
The KVP exchange exposes the guest FQDN property to the host. I've just tested and confirmed this on both WS2016 and WS2019 hosts.

Gostev
SVP, Product Management
Posts: 26336
Liked: 4107 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request: Kerberos only authentication

Post by Gostev »

I looked up that email thread with the devs again, and they did mention KVP there... but, in a bad light. They said it's very unreliable, as in many labs the content of FQDN field was empty. So unfortunately, this not something we can rely on for the production code.

HenrikS.
Influencer
Posts: 17
Liked: 6 times
Joined: Jul 04, 2017 12:59 pm
Full Name: Henrik Schewe
Contact:

Re: Feature request: Kerberos only authentication

Post by HenrikS. »

Hello,

Has there been any devlopment on this FR for Hyper-V guests yet, for instance is something coming in v10?
To have guest interaction service accounts leverage Kerberos only/Windows protected user group is something that we really would like to see.

-BR

Gostev
SVP, Product Management
Posts: 26336
Liked: 4107 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request: Kerberos only authentication

Post by Gostev » 1 person likes this post

Hello! There was no development, as this would require Microsoft to fix this KVP functionality in Hyper-V first. Thanks!

HenrikS.
Influencer
Posts: 17
Liked: 6 times
Joined: Jul 04, 2017 12:59 pm
Full Name: Henrik Schewe
Contact:

Re: Feature request: Kerberos only authentication

Post by HenrikS. »

Hello Gostev,

But what about PowerShell Direct?
You leverage this as a fallback to inject the Veeam Service, why is it not possible to extract the hostname from the Guest?
Quick test performed on a 2016 host:

PS C:\Invoke-Command -vmName guest -ScriptBlock {([System.Net.Dns]::GetHostByName(($env:computerName))).Hostname}
cmdlet Invoke-Command at command pipeline position 1
Supply values for the following parameters:
Credential
guest01.contoso.com

-BR

Gostev
SVP, Product Management
Posts: 26336
Liked: 4107 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request: Kerberos only authentication

Post by Gostev »

PowerShell Direct is a fairly recent technology that is not available in all Windows guest OS and Hyper-V versions we support. May be in future, once we only support those versions... if Microsoft still does not fix KVP by then.

HenrikS.
Influencer
Posts: 17
Liked: 6 times
Joined: Jul 04, 2017 12:59 pm
Full Name: Henrik Schewe
Contact:

Re: Feature request: Kerberos only authentication

Post by HenrikS. » 1 person likes this post

Hello Gostev,

I'm sorry, but I find this lack of functionality to be quite severe.
Is it really so that you claim KVP broken? Exactly what part of it and how can we reproduce to file a request to Microsoft?
PowerShell Direct has been around for nearly 4 years.

I want to be solution oriented here, have you considered other options to be able to provide this functionality?

1: Implement an order of precedense for guest logon; Kerberos only, Negotiate or NTLM/Legacy where the user can first move to Negotiate before Kerberos only.
2: Get the FQDN where you can. If PowerShell Direct/KVP can be used, use it. If not, then add a field under Processing Settings that makes us able to manually add the FQDN.

-BR

Gostev
SVP, Product Management
Posts: 26336
Liked: 4107 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request: Kerberos only authentication

Post by Gostev »

I'm not sure I follow your logic here, Henrik. What is the point of having Kerberos-only authentication feature, if you must still keep NTLM enabled on the network for failover purposes of processing those VMs which cannot be processed with Kerberos authentication? I mean, it's not like NOT backing up some machines is acceptable, right?

And as long as you keep NTLM available on the network, from security perspective it does not matter if you now use Kerberos for certain machines... which means implementing this functionality adds zero real value.

As a real solution, you could consider moving to vSphere, where we fully support Kerberos-only guest processing.

HenrikS.
Influencer
Posts: 17
Liked: 6 times
Joined: Jul 04, 2017 12:59 pm
Full Name: Henrik Schewe
Contact:

Re: Feature request: Kerberos only authentication

Post by HenrikS. »

Hello Gostev,

I see that the logic is a bit diffuse.
What I tried to point out is that if Veeam is unable to automatically get the FQDNs, then the administrator could feed this manually.

To find out for what VMs Veeam is unable to get the FQDNs, a solution could be to enable NTLM failover and to sort these out before you would disable NTLM all together.
I guess you could also find these by the guest processing test credentials run.

The question still remains; Could Veeam implement a way/some way/any way of letting Hyper-V users leverage Kerberos-only authentication?
Changing the backup solution is more likely an option, than to change our hypervisor platform.

-BR

christian.naenny
Novice
Posts: 3
Liked: 3 times
Joined: Apr 08, 2015 11:52 am
Full Name: Christian Naenny
Location: Zurich, Switzerland
Contact:

[MERGED] Roadmap to ditch the requirement for NTLM entirely

Post by christian.naenny » 2 people like this post

Hello experts,

In documentation for Veeam B&R 9.5U4 for VMware vSphere it is stated:
"To back up or replicate VMware vSphere VMs where Kerberos is used, you must make sure that NTLM traffic is allowed in Veeam backup infrastructure machines."
Kerberos Authentication for Guest OS Processing

In our network, NTLMv2 ist entirely disabled for all new machines with Windows Server 2016 or higher. I need to obtain a special permission from our IT Security Officer to enable NTLMv2 between the Backup Server (also Tape Server and Repository Server) and the Backup Proxies. But our IT Security department is asking by when Veeam will ditch the requirement for NTLM completely.

Is there any roadmap for such a request?

Best regards,
Christian

benthomas
Service Provider
Posts: 22
Liked: 3 times
Joined: Apr 22, 2013 2:29 am
Full Name: Ben Thomas
Location: New Zealand
Contact:

Re: Feature request: Kerberos only authentication

Post by benthomas » 1 person likes this post

@Gostev , any chance to get the devs to review their opinions on Hyper-V KVP?

I have not seen any stability issues in my uses of it personally, and have queried others to find their experiences are the same.
Surely this could be added as a precedence option, like trying various connection methods like Powershell Direct, or like others have said, let us manually provide the FQDNs in the backup job settings if it's so critical.

Gostev
SVP, Product Management
Posts: 26336
Liked: 4107 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request: Kerberos only authentication

Post by Gostev »

Microsoft did not have any new Hyper-V releases since my post in October last year. We will certainly review this once they ship their next LTSC.

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests