Comprehensive data protection for all workloads
Post Reply
JSi
Influencer
Posts: 17
Liked: 2 times
Joined: Oct 23, 2013 9:02 am
Full Name: Jan Simko
Contact:

Excessive NTLM requests

Post by JSi »

Hello everyone,

my firewall dep. colleagues remind me about excessive use of authentication requests coming from my veeam server. It`s about 17 000 requests per day.
I have small environment - 1 Veeam server with collocated roles (Veeam B&R +Enterprise Manager, One), 4 node hyper-v cluster and 1 esxi server, about 20 jobs.
That count seems to me too high ...is it normal? Or I made a configuration mistake somewhere?

Is there a way how to use ?kerberos? and reuse tickets?

Thanx for any advice
Gostev
Chief Product Officer
Posts: 31803
Liked: 7298 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Excessive NTLM requests

Post by Gostev »

JSi wrote:Is there a way how to use ?kerberos? and reuse tickets?
I hope not, since ability to "reuse tickets" would mean that Kerberos has been hacked ;)
JSi
Influencer
Posts: 17
Liked: 2 times
Joined: Oct 23, 2013 9:02 am
Full Name: Jan Simko
Contact:

Re: Excessive NTLM requests

Post by JSi »

Thanx for reply Anton.

I wrote it wrong ... I thought it in that way, why it could not use kerberos ticket to reauthenticate when its needed ?
emachabert
Veeam Vanguard
Posts: 395
Liked: 169 times
Joined: Nov 17, 2010 11:42 am
Full Name: Eric Machabert
Location: France
Contact:

Re: Excessive NTLM requests

Post by emachabert »

NTLM ? really ?
I would have thought that Veeam services would use the underlying kerberos authentication scheme (service tickets instead of NTLM).
Veeamizing your IT since 2009/ Veeam Vanguard 2015 - 2023
Gostev
Chief Product Officer
Posts: 31803
Liked: 7298 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Excessive NTLM requests

Post by Gostev »

@Eric we do use Kerberos (although technically speaking, this happens on much lower level than our application - in core Windows authentication algorightms, and is transparent to us). However, obviously this is applicable to domain environments only... for any component that is located outside of Active Directory, NTLM is the only option.

@Jan service tickets are being re-used of course, but again - all of that happens on a much lower level than our product.
JSi
Influencer
Posts: 17
Liked: 2 times
Joined: Oct 23, 2013 9:02 am
Full Name: Jan Simko
Contact:

Re: Excessive NTLM requests

Post by JSi »

Sorry for dumb questions but ... is it possible to create kerberos SPN for Veeam services to solve it? And if yes - is it supported?

For clarification:
Account used for Veeam services is domain based, Veeam server is also in domain. I don`t use application consistent backup (IMHO there is no need to authenticate on objects outside of active directory).
emachabert
Veeam Vanguard
Posts: 395
Liked: 169 times
Joined: Nov 17, 2010 11:42 am
Full Name: Eric Machabert
Location: France
Contact:

Re: Excessive NTLM requests

Post by emachabert » 1 person likes this post

In my understanding,
SPN are useful for targeted services. They are used when requesting the service ticket to get access to the service. Veeam services are "clients/users", they are the ones requesting service tickets to get access to remote services using remote services' SPN.
Veeamizing your IT since 2009/ Veeam Vanguard 2015 - 2023
JSi
Influencer
Posts: 17
Liked: 2 times
Joined: Oct 23, 2013 9:02 am
Full Name: Jan Simko
Contact:

Re: Excessive NTLM requests

Post by JSi »

Thanx for explanation, it seems that I misunderstood SPN.
emachabert
Veeam Vanguard
Posts: 395
Liked: 169 times
Joined: Nov 17, 2010 11:42 am
Full Name: Eric Machabert
Location: France
Contact:

Re: Excessive NTLM requests

Post by emachabert »

Gostev wrote: I hope not, since ability to "reuse tickets" would mean that Kerberos has been hacked ;)
well...I think it is becoming a concern.
I don't know if you know the french tool mimikatz, but it is just awesome. When doing penetration testing you can just blow any ActiveDirectory domain. The best one is the GoldenTicket, granting full access to an unexisting user :-)

http://blog.gentilkiwi.com/presentations
Veeamizing your IT since 2009/ Veeam Vanguard 2015 - 2023
Post Reply

Who is online

Users browsing this forum: Johnny L and 126 guests