Domain credentials will not allow access to backup location

[nate8088]

Hi all,

So I've got a weird situation. I have a Synology NAS that is joined to our domain. As such, I can connect to any folders I have access to without having to enter a username/password as long as I'm logged in to a domain PC.
eg: I can map a drive to \\synology\home without having to enter credentials.

However, setting up Veeam, it gives me "Access is denied. Failed to create or open file." unless I specifically enter my domain username and password.

That would be all fine and dandy, but our domain passwords change on a set schedule, meaning anyone who sets this up will have it break every time they need to change their domain password.
Any way around that?

Thanks!

[vClintWyckoff]

This is expected behavior that you are experiencing. If you don't specify credentials VAW will attempt to use the NT AUTHORITY\SYSTEM account of the computer where the product is installed. In this scenario, all you need to do is grant the computer account objects in Active Directory full control of the directory you're trying to backup to.

This is documented in the user guide: https://helpcenter.veeam.com/docs/agent ... tml?ver=20

[JChris]

Is there a way to use SYSTEM user for backup while not in a AD DS environment? I use VAW at home with my SOHO NAS and I don't like the idea of using my network user as backup user. I'd rather use SYSTEM.

[vClintWyckoff]

I suppose a workaround would be to create a file share with no permissions or create a separate veeam "service account" on the NAS box?

[Dima P.]

JChris,

Clint is right. These are the authentication options you can use while running backup in a workgroup environment. Honestly, creating a dedicated backup account on you NAS box sounds like a perfect solution (using it myself).

[JChris]

This might be a good workaround. Right now, all users setup on my NAS have read-only access to most of the shares and no-access for some. The only account with R/W is my custom admin account that I only use for web login in order to do admin tasks.

Having a backup account for each user that uses backup, for example, "bob-backup" on the NAS and configured inside VAW, will prevent ransomwares encrypting the backup files? Won't the ransomware be able to extract the raw credential or the password hash from VAW and use it?

[vClintWyckoff]

Up until this point Ransomware just starts encrypting everything it can, including network shares (Locky for instance). However, the Ransomware would likely (anything is possible I suppose though) be using your local user credentials, not the NAS service accounts which are used for backup. So as you explained having a service account for each computer would be the best scenario and having this be the only accounts with full r/w access. Also, consider only having the NAS online during the backup window - disconnected is the ultimate Ransomware protection. This comes with caveats as your backups would obviously fail of the NAS is offline during the backup.

[JChris]

Well, I have some local services running on my NAS, so turning it off is not possible.