Comprehensive data protection for all workloads
Post Reply
sandsturm
Veteran
Posts: 278
Liked: 23 times
Joined: Mar 23, 2015 8:30 am
Contact:

Single Sign On for the Enterprise Manager

Post by sandsturm »

Hi
Is there a way to allow Single Sign on for the Enterprise Manager? Our users do not know their AD password, because we login with smartcard and PIN to our workstations and all our webapplication use some sort of Single Sign On, usually SAML 2.0 or Kerberos. We do not want all operators accessing the Veeam backup console, thus they will have the Entprise manager webinterface, but currently they are not able to logon, because they don't now their AD password. How can I enable Single Sign On for the Enterprise portal? I tried to make the necessary changes on the IIS, where the Enterprise manager runs, to allow Kerberos authentication, but was unsuccessful, the login page appears anyway.

thx,
sandsturm
nitramd
Veteran
Posts: 297
Liked: 85 times
Joined: Feb 16, 2017 8:05 pm
Contact:

Re: Single Sign On for the Enterprise Manager

Post by nitramd »

Have you looked at this KB doc? https://www.veeam.com/kb2089
nmdange
Veteran
Posts: 527
Liked: 142 times
Joined: Aug 20, 2015 9:30 pm
Contact:

Re: Single Sign On for the Enterprise Manager

Post by nmdange »

It should just be a matter of the site being in the Intranet Zone in Internet Explorer, and IE should pass your current Windows credentials to IIS.
sandsturm
Veteran
Posts: 278
Liked: 23 times
Joined: Mar 23, 2015 8:30 am
Contact:

Re: Single Sign On for the Enterprise Manager

Post by sandsturm »

I don't understand the steps in https://www.veeam.com/kb2089. I don't want a formbased authentication, I want to pass through windows credentials to the website with Kerberos (NTLM is not allowed in our company). If i set WindowsAuth=false, as described in this KB, an SSO login will no be possible any more, or am I wrong?

The site i in the intranet zone within IE settings, but we usually use chrome browser, is there a similar setting there?
Gostev
Chief Product Officer
Posts: 31457
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Single Sign On for the Enterprise Manager

Post by Gostev »

Hello, SAML 2.0 support for the Enterprise Manager is planned for the next product release. Please stay in touch with your Veeam technical sales rep if you want to participate in beta, to ensure that our implementation will fit your needs. Thanks!
sandsturm
Veteran
Posts: 278
Liked: 23 times
Joined: Mar 23, 2015 8:30 am
Contact:

Re: Single Sign On for the Enterprise Manager

Post by sandsturm »

Hi
Thanks for the answer. Besides the upcoming SAML 2.0 support, is there a way to do it via standard Windows SSSO (Kerberos)? The Enterprise Manager runs on a MS IIS and the Kerberos implementation in this case would be the easiest, if the application supports it?

thx,
sandsturm
HannesK
Product Manager
Posts: 14287
Liked: 2877 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Single Sign On for the Enterprise Manager

Post by HannesK »

Hello,
I tried it out at a customer environment that should be similar to yours (only smartcards + pin. no passwords for users).

Officially we only support NTLM today but I hoped it would work to just change the authentication mechanisms in IIS. Which settings did you configure? I only saw several hints that one should take care about the SPN.

Best regards,
Hannes
sandsturm
Veteran
Posts: 278
Liked: 23 times
Joined: Mar 23, 2015 8:30 am
Contact:

Re: Single Sign On for the Enterprise Manager

Post by sandsturm »

The IIS settings are as following in our case:
- disable all authentication types, except windows authentication for the website (or the webserver)
- set authentication providers on "Negotiate:Kerberos" and remove the other ones
- uncheck the box for "Enable kernel mode authentication in Authentication/Advanced settings
- enable windows authentication, if not already done for the website (or the webserver)
- modify SSL settings von website and check the box "Require SSL"
- remove port 9080 from Port bindings of the website
- change port 80 for DefaultWebsite to local access only
- run the IIS application pool with a Active directory service account
- Create an spn for the above service account for the URL you want to use to access the Enterprise manager: setspn -s HTTP/EM_URL_FQDN domain\serviceaccount
- set useAppPoolCredentials = True in configuration editor of veeam website in path: system.webServer/security/authentication/windowsAuthentication

with these settings, a Kerberos authentication is possible if the application supports it :-)
HannesK
Product Manager
Posts: 14287
Liked: 2877 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Single Sign On for the Enterprise Manager

Post by HannesK »

Hello,
I got a YubiKey from the customer for testing and I worked in my lab "in most cases", but not 100%

- Anonymous Authentication: Enabled (no idea why, but it was required)
- ASP.net impersonation: disabled
- Forms Authentication: disabled
- Windows Authentication: enabled (worked with following options: "Negotiate:Kerberos" only, "Negotiate + NTLM", "Negotiate" only
- no additional SPN settings, IIS runs with default settings

The problem I faced was that is does not work 100%. Sometimes after reboot it just fails. Then I restarted the "VeeamBackup" website and it worked again. I tested Windows 10 with IE (latest patch level) where I always cleared the browser cache. The FQDN was a "trusted site".

Not sure whether that helps.

Best regards,
Hannes
sandsturm
Veteran
Posts: 278
Liked: 23 times
Joined: Mar 23, 2015 8:30 am
Contact:

Re: Single Sign On for the Enterprise Manager

Post by sandsturm »

Hi Hannes

thanks for the reply.
as long as you have anonymous authentication enabled, you have no authentication in fact, so this will work of course but users are then not authenticated....

thx
sandsturm
HannesK
Product Manager
Posts: 14287
Liked: 2877 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Single Sign On for the Enterprise Manager

Post by HannesK »

I though the same, but I must have been authenticated somehow as I could only see the VMs I have permissions to. With "no authentication" (from PC that is not in the domain) I just get the login screen username / password.

But maybe I'm totally wrong :-)
sandsturm
Veteran
Posts: 278
Liked: 23 times
Joined: Mar 23, 2015 8:30 am
Contact:

Re: Single Sign On for the Enterprise Manager

Post by sandsturm »

Yes, you see only your VM's because of the authorization from Veeam itself... but the authentication is not solved, or am I wrong?
maybe someone can bring some bright into this darkness :-)
HannesK
Product Manager
Posts: 14287
Liked: 2877 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Single Sign On for the Enterprise Manager

Post by HannesK »

Yes, you see only your VM's because of the authorization from Veeam itself.
If it was stable I would say "the result is important no matter who does the job" :-)
but the authentication is not solved, or am I wrong?
As mentioned earlier, SAML support is planned for the next version - in the meantime I see no way for Kerberos SSO.
sandsturm
Veteran
Posts: 278
Liked: 23 times
Joined: Mar 23, 2015 8:30 am
Contact:

Re: Single Sign On for the Enterprise Manager

Post by sandsturm »

okay, thank you for your answer
Xeraxx
Lurker
Posts: 1
Liked: never
Joined: Aug 21, 2019 11:25 am
Contact:

Re: Single Sign On for the Enterprise Manager

Post by Xeraxx »

Which version of Enterprise Manager is SAML support planned for?
Gostev
Chief Product Officer
Posts: 31457
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Single Sign On for the Enterprise Manager

Post by Gostev »

v10
chris2737mcdo
Service Provider
Posts: 14
Liked: never
Joined: Jul 23, 2019 9:16 am
Full Name: Chris McDonnell
Location: London, UK
Contact:

Re: Single Sign On for the Enterprise Manager

Post by chris2737mcdo »

Did this make v10?
HannesK
Product Manager
Posts: 14287
Liked: 2877 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Single Sign On for the Enterprise Manager

Post by HannesK »

yep
chris2737mcdo
Service Provider
Posts: 14
Liked: never
Joined: Jul 23, 2019 9:16 am
Full Name: Chris McDonnell
Location: London, UK
Contact:

Re: Single Sign On for the Enterprise Manager

Post by chris2737mcdo »

Cool. Thanks
sandsturm
Veteran
Posts: 278
Liked: 23 times
Joined: Mar 23, 2015 8:30 am
Contact:

Re: Single Sign On for the Enterprise Manager

Post by sandsturm »

I'm just trying to configure SAML for Enterprise Manager with V11 and I need a little bit more detail in the documentation. Page https://helpcenter.veeam.com/docs/backu ... ml?ver=110 has a chapter "Specifying Advanced SAML Authentication settings" and there the steps 5 and 6:
5. From the Authentication context comparison list, select a comparison method for authentication context: Exact, Minimum, Maximum or Better.
6. From the Authentication context class list, select one of the classes to specify an authentication method used by the Identity Provider. For example, for VMware Platform Services Controller, select PasswordProtectedTransport. By default, the Password option is selected.
Not sure, if someone can use the explanation of these two points, but for me they are not really helpful. ;-) Concerning step 5 I want to now the difference between the four options. Same for step 6: Maybe some examples could help or a little bit more documentation to this step could be really helpful.

Rest of the SAML documentation is really straightforward and easy to follow, if these two steps will have also a little bit more detail, maybe it not just helps me alone :-)

thx
sandsturm
veremin
Product Manager
Posts: 20270
Liked: 2252 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Single Sign On for the Enterprise Manager

Post by veremin »

5) You can find some information here
6) In SAML there are two main concepts:

- A service provider - something that needs the authentication from the identity provider to grant authorization to the user
- An identity provider - something that performs this authentication and confirms its status to service provider

In our example, Enterprise Manager servers the role of service provider, as it passes authentication requests to side service (identity provider). Depending on service implementation, identity provider might use different authentication methods, and here you need to specify the one that is relevant to your identity provider.

Thanks!
Post Reply

Who is online

Users browsing this forum: Google [Bot], Paul.Loewenkamp and 146 guests