Comprehensive data protection for all workloads
Post Reply
tjestr
Enthusiast
Posts: 44
Liked: never
Joined: Mar 05, 2009 9:33 am
Full Name: Falko Dohse
Location: Hamburg
Contact:

Windows authentication for Enterprise Manager

Post by tjestr »

Is it possible to use Windows passthrough authentication for the Enterprise Manager to eliminate the need to enter credentials?
Gostev
Chief Product Officer
Posts: 31816
Liked: 7302 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Windows authentication for Enterprise Manager

Post by Gostev »

Falko, impersonation (which is what you are talking about) only works within the same server, however we are also using the entered credentials to determine whether the user is allowed to manage the jobs on specific server, but impersonation does not work remotely. Such check is performed each time when you try to Start/Stop/Retry the job in the web UI.

It is still possible to make the latter work, by only by leveraging "delegation", but this would require some changes to default IIS security settings, as well as updating some security-sensitive attributes on computer accounts in AD (TrustedForDelegation). This is not kind of changes we can do silently in setup, and instead we would have to require all users to do this. Which would in turn complicate the setup, and much fewer people would be able to make everything work and see the web UI. While our main task have been making everything as simple as possible.

Based on all of thesу factors, we have decided to go with the current implementation. We can still implement support for delegation down the road, and provide some guide you could use to enable the required settings manually, if your security guys will be OK about this of course (if you even have those) :mrgreen:
MortenDall
Lurker
Posts: 1
Liked: never
Joined: Jan 13, 2015 12:04 pm
Full Name: Morten Dall
Contact:

Re: Windows authentication for Enterprise Manager

Post by MortenDall »

I am in a situtation where I need to change the Enterprise Manager IIS Authentication method, to do AD lookup without being on the domain (Digest Authentication eg.)
Does anyone have guidance, please?
foggy
Veeam Software
Posts: 21139
Liked: 2141 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Windows authentication for Enterprise Manager

Post by foggy »

For Windows authentication to work, Enterprise Manager should reside in the same domain with the account (or at least in the trusted domain).
Post Reply

Who is online

Users browsing this forum: No registered users and 43 guests