Hi,
We have Veeam Backup & Replication Enterprise Plus 9.0 in our environment and we are also planning to deploy Veeam Endpoint Backup to our Windows users.
Upon setting up a backup repository for Endpoint backups, we came across a "bug" or a feature that's misbehaving.
When assigning permissions to a backup repository to a single user (lets say Test User) via Active Directory, Veeam Backup & Replication formats the username to DOMAIN\test.user - although the actual account name is test.user@domain.com and pre-Windows 2000 account name is DOMAIN\tuser. Obviously this leads to an error message of "Account does not exist".
Although this may not be a real issue in the Backup & Replication as user permissions will be assigned through Security Groups, this is an issue with Endpoint Backup. When connecting Endpoint Backup to a Veeam Backup & Replication -environment, you can choose not to specify your personal credentials. I believe in this case the client fetches the Windows credentials (ideal situation), but fails to connect to the server with said credentials. I believe this is the same issue as with the server, as when I enter the credentials manually (in the format of DOMAIN\tuser, which are also the Windows login credentials) the connection is established successfully.
BR,
-IcyAero
-
- Novice
- Posts: 3
- Liked: never
- Joined: Dec 02, 2016 9:44 am
- Full Name: Eero Mäensivu
- Contact:
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Bug with fetching permissions from Active Directory
Hi Eero, Veeam B&R requires account name in DOMAIN\USER format, it is mentioned in the wizard when you're adding Windows server to Veeam B&R console.IcyAero wrote:When assigning permissions to a backup repository to a single user (lets say Test User) via Active Directory, Veeam Backup & Replication formats the username to DOMAIN\test.user - although the actual account name is test.user@domain.com and pre-Windows 2000 account name is DOMAIN\tuser. Obviously this leads to an error message of "Account does not exist".
In this case it connects to Veeam B&R using computer account of the server where Veeam Endpoint is installed, so user credentials do not play any role here. If you give the group containing all accounts of Endpoint computers permissions to repository, you will be able to connect without specifying credentials.IcyAero wrote:I believe in this case the client fetches the Windows credentials (ideal situation), but fails to connect to the server with said credentials.
-
- Novice
- Posts: 3
- Liked: never
- Joined: Dec 02, 2016 9:44 am
- Full Name: Eero Mäensivu
- Contact:
Re: Bug with fetching permissions from Active Directory
Hi, thank you for your quick reply.
My understanding is also that VBR requires the format to be DOMAIN\username. This works like intended when adding Security Groups or Computer objects to the list but not for individual Users. With individual users, VBR formats the name into DOMAIN\firstname.surname instead of DOMAIN\user with mail enabled user accounts. This does not happen when adding a service-kind user account.foggy wrote: Hi Eero, Veeam B&R requires account name in DOMAIN\USER format, it is mentioned in the wizard when you're adding Windows server to Veeam B&R console.
Ah, thank you for this information. As said in the documentation, permissions can be assigned to individual users, computers or security groups. In terms of deployment for a large group of users (including deploying configurations, but that's a subject for another time), it would be easiest to assign a security group containing users a permission to access a repository and allow them to establish a connection automatically with Windows credentials. As most often a computer usually has a single user, but a single user can have multiple computers. Also when changing account passwords, users most often forget to change them to other applications unless prompted for it - which at this time the Endpoint Backup does not do.foggy wrote:In this case it connects to Veeam B&R using computer account of the server where Veeam Endpoint is installed, so user credentials do not play any role here. If you give the group containing all accounts of Endpoint computers permissions to repository, you will be able to connect without specifying credentials.
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Bug with fetching permissions from Active Directory
Actually the required format is DOMAIN\<samAccountname>, while some of the accounts can have samAccountname = firstname.surname and others samAccountname = fsurname (or anything else).IcyAero wrote:My understanding is also that VBR requires the format to be DOMAIN\username. This works like intended when adding Security Groups or Computer objects to the list but not for individual Users. With individual users, VBR formats the name into DOMAIN\firstname.surname instead of DOMAIN\user with mail enabled user accounts. This does not happen when adding a service-kind user account.
Using computer accounts to assign permissions will allow to prevent such issues.IcyAero wrote:Also when changing account passwords, users most often forget to change them to other applications unless prompted for it - which at this time the Endpoint Backup does not do.
-
- Novice
- Posts: 3
- Liked: never
- Joined: Dec 02, 2016 9:44 am
- Full Name: Eero Mäensivu
- Contact:
Re: Bug with fetching permissions from Active Directory
In this case my SamAccountName is fuser, not firstname.surname.foggy wrote:Actually the required format is DOMAIN\<samAccountname>, while some of the accounts can have samAccountname = firstname.surname and others samAccountname = fsurname (or anything else).
Anyway, if this is how Veeam has intended it to be then that's it ought to be done. However as with all things, there are two sides to a sword.foggy wrote:Using computer accounts to assign permissions will allow to prevent such issues.
- Using computer accounts would ease the deployment to users as they do not need to fill in credentials, but it does add up in extra administration with the computer accounts.
- If having to fill credentials, end-users might miss scheduled backups if they forget to update their passwords (as said there no Windows notifications from the client). However it eases administration when closing user account -> backups stop automatically as well.
I thank you foggy for answering my questions and ought to be out of your way soon enough
Who is online
Users browsing this forum: veremin and 292 guests