Comprehensive data protection for all workloads
Post Reply
Clayman
Novice
Posts: 4
Liked: never
Joined: Aug 29, 2017 8:06 am
Full Name: Clayman
Contact:

Application Aware Backup of Windows with Smart Card Logon

Post by Clayman »

Hi all,

we have forced smart card logon on all servers, veeam application aware processing now fails to truncate sql logs due it has no smart card to logon the server.
As workaround we disable smart card logon during the backup window on these servers (with windows tasks) which is not a good solution.
The second (more secure) solution i was think off would be to truncate the logs on the server with some extra sql/windows tasks.

How you guys handle such a situation?

The Error Message:
Failed to truncate Microsoft SQL Server transaction logs. Details: Error code: 0x80004005
Failed to invoke func [TruncateSqlLogs]: Unspecified error. Failed to process 'TruncateSQLLog' command.
Failed to logon user [<veeam account>]
Win32 error:Smartcard logon is required and was not used.
Code: -2146892994
Error code: 0x80004005
Failed to invoke func [TruncateSqlLogs]: Unspecified error. Failed to process 'TruncateSQLLog' command.

Failed to logon user [<veeam account>]

Win32 error:Smartcard logon is required
cheers

clay
Gostev
Chief Product Officer
Posts: 31460
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Application Aware Backup of Windows with Smart Card Logo

Post by Gostev »

Hello, please keep in mind that smart cards are designed to secure interactive logons performed by end users - you should not apply this to service accounts, such as the one Veeam uses. Thanks!
Clayman
Novice
Posts: 4
Liked: never
Joined: Aug 29, 2017 8:06 am
Full Name: Clayman
Contact:

Re: Application Aware Backup of Windows with Smart Card Logo

Post by Clayman »

Hi,

that's correct but the smart card logon is forced by group policy on the servers and the setting is a computer setting not a user setting (Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Require smart card) so can't exclude a user.
How you accomplish this?

Thanks

clay
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Application Aware Backup of Windows with Smart Card Logo

Post by foggy »

You can ask your administrators to add exceptions to this group policy, if possible, to allow service accounts to log on using user name and password.
nmdange
Veteran
Posts: 527
Liked: 142 times
Joined: Aug 20, 2015 9:30 pm
Contact:

Re: Application Aware Backup of Windows with Smart Card Logo

Post by nmdange »

Sounds like the issue is Veeam is attempting to do an interactive logon and not a network or batch logon.

https://msdn.microsoft.com/en-us/librar ... s.85).aspx
Clayman
Novice
Posts: 4
Liked: never
Joined: Aug 29, 2017 8:06 am
Full Name: Clayman
Contact:

Re: Application Aware Backup of Windows with Smart Card Logo

Post by Clayman »

foggy wrote:You can ask your administrators to add exceptions to this group policy, if possible, to allow service accounts to log on using user name and password.
That's not possible cause its a computer setting you can just set it on computer base not on user base.
Clayman
Novice
Posts: 4
Liked: never
Joined: Aug 29, 2017 8:06 am
Full Name: Clayman
Contact:

Re: Application Aware Backup of Windows with Smart Card Logo

Post by Clayman »

nmdange wrote:Sounds like the issue is Veeam is attempting to do an interactive logon and not a network or batch logon.

https://msdn.microsoft.com/en-us/librar ... s.85).aspx
Hmm the link not working or is broken can you check the link?

Edit:

Yes Veeam try's to logon interactive to truncate the sql log.
Here is a snip from the windows security log:

Code: Select all

An account failed to log on.

Subject:
Security ID: S-1-5-18
Account Name: <Hostname>$
Account Domain: <domain>
Logon ID: 0x3E7

Logon Type: 2

Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: <veeam account>
Account Domain: <domain>

Failure Information:
Failure Reason: Smartcard logon is required and was not used.
Status: 0xC000006E
Sub Status: 0xC00002FA

Process Information:
Caller Process ID: 0x1718
Caller Process Name: C:\Windows\VeeamVssSupport\VeeamGuestHelper.exe

Network Information:
Workstation Name: <Hostname>
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 
nmdange
Veteran
Posts: 527
Liked: 142 times
Joined: Aug 20, 2015 9:30 pm
Contact:

Re: Application Aware Backup of Windows with Smart Card Logo

Post by nmdange »

Sorry correct link https://msdn.microsoft.com/en-us/librar ... s.85).aspx

Yes you are correct Veeam is doing an interactive login given that the login type is "2". Veeam needs to change the value passed to the Win32 logon api to be a different value.
FECV
Enthusiast
Posts: 37
Liked: 7 times
Joined: Mar 24, 2016 2:23 pm
Full Name: Frederick Cooper V
Contact:

Re: Application Aware Backup of Windows with Smart Card Logo

Post by FECV »

So just an FYI smart card required settings can be set at the user or computer level or both. I have seen federal agencies justify and use both options. I like implementing at the computer level as i feel it is more secure, but then you run into issues like this. I think this should be a feature request to change the application aware processing settings for windows systems to work with logon as batch job. If this is not possible, i would like to hear the technical reason why it will not work. I have not tested this, but you may be able use the windows agent as a work around to backup the system and still get Veeam to do the truncation. Anyway plus one here for getting this changed!
FECV
Enthusiast
Posts: 37
Liked: 7 times
Joined: Mar 24, 2016 2:23 pm
Full Name: Frederick Cooper V
Contact:

Re: Application Aware Backup of Windows with Smart Card Logon

Post by FECV »

Well just ran into this again using the Agent. So looks like 3-4 years later nothing has changed in the interactive login requirement. Has anyone found any work arounds?
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Application Aware Backup of Windows with Smart Card Logon

Post by Vitaliy S. »

Hi Frederick, not sure if a workaround exists at the moment.
Gostev
Chief Product Officer
Posts: 31460
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Application Aware Backup of Windows with Smart Card Logon

Post by Gostev »

I wonder if using a V11 persistent guest agent can help?
FECV
Enthusiast
Posts: 37
Liked: 7 times
Joined: Mar 24, 2016 2:23 pm
Full Name: Frederick Cooper V
Contact:

Re: Application Aware Backup of Windows with Smart Card Logon

Post by FECV »

On this last SQL server i tested we are using the Veeam Windows Agent running as local system to do backups. There were security issues connecting my VBR server to this vcenter deployment among other concerns, so we decided to go with the Windows Agent on this. Regular crash consistent backups work fine, but trying to add application aware SQL integration is where i see the error can't login because of the smart card requirement. This is obviously because i am entering a SQL account in Veeam that is part of my active directly and Veaam is trying to use this as an interactive login which is getting blocked. In my opinion this is not an interactive login at all. One thing i am trying to do, is to use a local SQL account for the SQL logs. This requires i have another account that is password protected and not centrally managed and requires me running SQL in mixed authentication mode. Not what i want, but may allow things to work without going against any of my mandated security policies.
FECV
Enthusiast
Posts: 37
Liked: 7 times
Joined: Mar 24, 2016 2:23 pm
Full Name: Frederick Cooper V
Contact:

Re: Application Aware Backup of Windows with Smart Card Logon

Post by FECV »

Ok apparently Veeam does not support local SQL accounts, or i can't figure out how to enter them. Have to search the KBs when i find a few more days in the week.
Gostev
Chief Product Officer
Posts: 31460
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Application Aware Backup of Windows with Smart Card Logon

Post by Gostev »

I did not mean using Veeam Agent for Windows though, but rather persistent guest agent of Veeam Backup & Replication, which is a V11 feature (see the What's New document for more details).
FECV
Enthusiast
Posts: 37
Liked: 7 times
Joined: Mar 24, 2016 2:23 pm
Full Name: Frederick Cooper V
Contact:

Re: Application Aware Backup of Windows with Smart Card Logon

Post by FECV »

Yes, but that is only an option for virtual machines. In this case i have to use a Veeam Windows Agent because the ESXi hosts that are licnesed for SQL are outside my direct virtual infrastructure, and they don't want me to connect my VBR server to their environment.
Post Reply

Who is online

Users browsing this forum: Google [Bot] and 231 guests