-
- Influencer
- Posts: 17
- Liked: 2 times
- Joined: Oct 23, 2013 9:02 am
- Full Name: Jan Simko
- Contact:
Excessive NTLM requests
Hello everyone,
my firewall dep. colleagues remind me about excessive use of authentication requests coming from my veeam server. It`s about 17 000 requests per day.
I have small environment - 1 Veeam server with collocated roles (Veeam B&R +Enterprise Manager, One), 4 node hyper-v cluster and 1 esxi server, about 20 jobs.
That count seems to me too high ...is it normal? Or I made a configuration mistake somewhere?
Is there a way how to use ?kerberos? and reuse tickets?
Thanx for any advice
my firewall dep. colleagues remind me about excessive use of authentication requests coming from my veeam server. It`s about 17 000 requests per day.
I have small environment - 1 Veeam server with collocated roles (Veeam B&R +Enterprise Manager, One), 4 node hyper-v cluster and 1 esxi server, about 20 jobs.
That count seems to me too high ...is it normal? Or I made a configuration mistake somewhere?
Is there a way how to use ?kerberos? and reuse tickets?
Thanx for any advice
-
- Chief Product Officer
- Posts: 31803
- Liked: 7298 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Excessive NTLM requests
I hope not, since ability to "reuse tickets" would mean that Kerberos has been hackedJSi wrote:Is there a way how to use ?kerberos? and reuse tickets?
-
- Influencer
- Posts: 17
- Liked: 2 times
- Joined: Oct 23, 2013 9:02 am
- Full Name: Jan Simko
- Contact:
Re: Excessive NTLM requests
Thanx for reply Anton.
I wrote it wrong ... I thought it in that way, why it could not use kerberos ticket to reauthenticate when its needed ?
I wrote it wrong ... I thought it in that way, why it could not use kerberos ticket to reauthenticate when its needed ?
-
- Veeam Vanguard
- Posts: 395
- Liked: 169 times
- Joined: Nov 17, 2010 11:42 am
- Full Name: Eric Machabert
- Location: France
- Contact:
Re: Excessive NTLM requests
NTLM ? really ?
I would have thought that Veeam services would use the underlying kerberos authentication scheme (service tickets instead of NTLM).
I would have thought that Veeam services would use the underlying kerberos authentication scheme (service tickets instead of NTLM).
Veeamizing your IT since 2009/ Veeam Vanguard 2015 - 2023
-
- Chief Product Officer
- Posts: 31803
- Liked: 7298 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Excessive NTLM requests
@Eric we do use Kerberos (although technically speaking, this happens on much lower level than our application - in core Windows authentication algorightms, and is transparent to us). However, obviously this is applicable to domain environments only... for any component that is located outside of Active Directory, NTLM is the only option.
@Jan service tickets are being re-used of course, but again - all of that happens on a much lower level than our product.
@Jan service tickets are being re-used of course, but again - all of that happens on a much lower level than our product.
-
- Influencer
- Posts: 17
- Liked: 2 times
- Joined: Oct 23, 2013 9:02 am
- Full Name: Jan Simko
- Contact:
Re: Excessive NTLM requests
Sorry for dumb questions but ... is it possible to create kerberos SPN for Veeam services to solve it? And if yes - is it supported?
For clarification:
Account used for Veeam services is domain based, Veeam server is also in domain. I don`t use application consistent backup (IMHO there is no need to authenticate on objects outside of active directory).
For clarification:
Account used for Veeam services is domain based, Veeam server is also in domain. I don`t use application consistent backup (IMHO there is no need to authenticate on objects outside of active directory).
-
- Veeam Vanguard
- Posts: 395
- Liked: 169 times
- Joined: Nov 17, 2010 11:42 am
- Full Name: Eric Machabert
- Location: France
- Contact:
Re: Excessive NTLM requests
In my understanding,
SPN are useful for targeted services. They are used when requesting the service ticket to get access to the service. Veeam services are "clients/users", they are the ones requesting service tickets to get access to remote services using remote services' SPN.
SPN are useful for targeted services. They are used when requesting the service ticket to get access to the service. Veeam services are "clients/users", they are the ones requesting service tickets to get access to remote services using remote services' SPN.
Veeamizing your IT since 2009/ Veeam Vanguard 2015 - 2023
-
- Influencer
- Posts: 17
- Liked: 2 times
- Joined: Oct 23, 2013 9:02 am
- Full Name: Jan Simko
- Contact:
Re: Excessive NTLM requests
Thanx for explanation, it seems that I misunderstood SPN.
-
- Veeam Vanguard
- Posts: 395
- Liked: 169 times
- Joined: Nov 17, 2010 11:42 am
- Full Name: Eric Machabert
- Location: France
- Contact:
Re: Excessive NTLM requests
well...I think it is becoming a concern.Gostev wrote: I hope not, since ability to "reuse tickets" would mean that Kerberos has been hacked
I don't know if you know the french tool mimikatz, but it is just awesome. When doing penetration testing you can just blow any ActiveDirectory domain. The best one is the GoldenTicket, granting full access to an unexisting user
http://blog.gentilkiwi.com/presentations
Veeamizing your IT since 2009/ Veeam Vanguard 2015 - 2023
Who is online
Users browsing this forum: Johnny L and 126 guests