How to modify/update existing credential

[manuel.aigner]

Hi there,

We are new at implementing Veeam BR at our companie.
Due to the fact we have many windows domains and a lot of machines without domain membership we have the need maintain a quite big credential store in VBR. As we don't do this manually and we have an password vault (Secret Server from Thycotic), I'm working on a script which keeps the Veeam credstore sync with Secret Server which has da ability to remote manage/change passwords on any of our VMs. (By our company policy it's not allowed have never expiring passwords. Specially for administrativ users)

ATM I'm struggling around with the 2 cmdlets Add-VBRCredentials and Set-VBRCredentials. To create a new credential is no problem. But I have no idea how to edit an existing one in case the password has changed. As I've read in documentation I should use Set-VBRCredentials for this use case.
But IMHO Add-VBRCredentials and Set-VBRCredentials are doing nearly the same.

I don't know how this cmdlet want's to know which credential im want to change. I cant define an ID or search criteria. My first trial was to pipeline it with

Code: Select all

get-VBRCredentials -Name  <loginname> | set-VBRCredentials -Credential $PSCredentialObjectFromSecretServer->not Working
get-VBRCredentials | where { <where clause> } | set-VBRCredentials -Credential $PSCredentialObjectFromSecretServer -> nope!

If i only try

Code: Select all

set-VBRCredentials -Credential $PSCredentialObjectFromSecretServer

It will only generate a new credential with the same name as the existing one but a new ID which is clearly not assigned to any jobs and as consequence useless.

Does anyone of you have any ideas

Here my unfinished function:

Explanation:
My script should only update secrets where description field looks like this:
SecretID:<correlatingSecredIDOnSecredServer>
E.g.:
SecredID:1234

Code: Select all

function Update-VeeamCredFromSecretServer {
<#
.SYNOPSIS
Update existing Veeam credential from Secret Server

.DESCRIPTION
Update existing Veeam credential from Secret Server

.PARAMETER SecretIDs
A description of the SecretIDs parameter.

.PARAMETER ConnectionObject
A description of the ConnectionObject parameter.

.EXAMPLE
PS C:\> Update-VeeamCredFromSecretServer

.NOTES
Additional information about the function.
.ROLE
VersionsDateAuthorDescription
0.0.1.0010.11.2017AIMCreated
#>

[CmdletBinding()]
param
(
[int[]]$SecretIDs,
$ConnectionObject,
[string]$VeeamMGMTSrv = '...hidden...',
[string]$DescriptionPrefix = 'SecretID',
[switch]$force

)

if (!($ConnectionObject)) {
$ConnectionObject = Connect-POISecretServer
if (-not ($ConnectionObject)) {
return Write-StatusLog -8778 "-Unable to connect to SecretServer!" -ObjectLogging -ObjIsOK:$false
}

}

if (!(Connect-POIVeeamMGTMServer -VeeamMGMTSrv $VeeamMGMTSrv).OK) {
return Write-StatusLog -8778 "-Script aborted, unable to connect to '$VeeamMGMTSrv'" -ObjectLogging -ObjIsOK:$false
}

try {
$VeeamCreds = Get-VBRCredentials -ErrorAction Stop | where {$_.Description -like "$($DescriptionPrefix):*"}
} catch {
return Write-StatusLog -8778 "-Unable to fetch credentials list from Veeam for automatical update , Last exception:`r`n'$($_.Exception)`r`n$($_.CategoryInfo)'" -ObjectLogging -ObjIsOK:$false -ObjInput $_
}

if (![bool]$SecretIDs) {
try {
[int[]]$SecretIDs = (($VeeamCreds.Description).split(":")) | where {
$_ -ne $($DescriptionPrefix)
}
} catch {
return Write-StatusLog -8778 "-Unable to fetch credentials list from Veeam for automatical update , Last exception:`r`n'$($_.Exception)`r`n$($_.CategoryInfo)'" -ObjectLogging -ObjIsOK:$false -ObjInput $_
}
}

if (![bool]$SecretIDs) {
return Write-StatusLog 0 "No SecretID given and no Veeam credential found for automatical update." -ObjectLogging -ObjIsOK:$true
}



foreach ($SecredIDNow in $SecretIDs) {
$Crednow = $VeeamCreds | where {
$_.Description -like "$($DescriptionPrefix):$($SecredIDNow)"
}
if (!$force.IsPresent) {
$SecretLastChange = Get-POISecretAudit -ConnectionObject $ConnectionObject -SecretID $SecredIDNow -FilterAction GetLatestChange | select -ExpandProperty DateRecorded
$CredLastChange = $Crednow | select -ExpandProperty ChangeTimeLocal

if (!($SecretLastChange -gt $CredLastChange)) {
Write-StatusLog 8771 "+Credential with ID '$SecredIDNow' is already current. No update needed. " -Autocolor
continue
}
}

$Secret = Get-POISecret -ID $SecredIDNow -ConnectionObject $ConnectionObject
if (!$Secret.OK) {
Write-StatusLog -8778 "-Unable to fetch secret with ID '$SecredIDNow' from Secret Server. , Last exception:`r`n'$($_.Exception)`r`n$($_.CategoryInfo)'" -ObjectLogging -ObjIsOK:$false -ObjInput $_
continue
}

try {
Set-VBRCredentials -Credential $Secret.obj.Credential -ErrorAction Stop
} catch {
return Write-StatusLog -8778 "-Error while updating credential with ID '$SecredIDNow', Last exception:`r`n'$($_.Exception)`r`n$($_.CategoryInfo)'" -ObjectLogging -ObjIsOK:$false -ObjInput $_
}

return Write-StatusLog 0 "Credential '$($Crednow.Name)' updated sucessfully." -ObjectLogging -ObjIsOK:$false



}



}

[veremin]

I managed to update password and description, using the script below:

Code: Select all

Asnp VeeamPSSnapin
Set-VBRCredentials -Credential (Get-VBRCredentials -name "Name of your credentials") -Password "New Password" -Description "New Description"

Thanks.

[manuel.aigner]

Oh, ok I' got it!

Many thanks

[veremin]

You're welcome. Kindly, reach us, should other help be needed. Thanks.

[ThierryKL]

Hello,

when I try to change a credential, description or password I got this error :

Code: Select all

PS C:\> set-VBRCredentials -Credential (Get-VBRCredentials -name "BENCHSA.INT\srvbck_deploy") -Description "TKL-VBR-REMOTE.BENCHSA.INT_admcred"
set-VBRCredentials : Object reference not set to an instance of an object.
At line:1 char:1
+ set-VBRCredentials -Credential (Get-VBRCredentials -name "BENCHSA.INT ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Set-VBRCredentials], NullReferenceException
    + FullyQualifiedErrorId : System.NullReferenceException,Veeam.Backup.PowerShell.Cmdlets.SetVBRCredentials

the get-vbrcredentials cmdlet return the right credential

Code: Select all

PS C:\> $a=Get-VBRCredentials -Name "BENCHSA.INT\srvbck_deploy"

PS C:\> $a


Id                : 848f820c-1469-4ea8-8cfe-18e896d7ae51
IsLocalProtect    : True
Name              : BENCHSA.INT\srvbck_deploy
CurrentUser       : False
UserName          : BENCHSA.INT\srvbck_deploy
UserNameOnly      : srvbck_deploy
DomainName        : BENCHSA.INT
EncryptedPassword : 
Description       : TKL-VBR-REMOTE.BENCHSA.INT_admcred
ChangeTimeLocal   : 18/09/2019 09:48:08
ChangeTimeUtc     : 18/09/2019 07:48:08
IsEmpty           : False
PasswordIsNull    : True

same result by using the credential object

Code: Select all

PS C:\> set-VBRCredentials -Credential $a -Description "TKL-VBR-REMOTE.BENCHSA.INT_admcred false"
set-VBRCredentials : Object reference not set to an instance of an object.
At line:1 char:1
+ set-VBRCredentials -Credential $a -Description "TKL-VBR-REMOTE.BENCHS ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Set-VBRCredentials], NullReferenceException
    + FullyQualifiedErrorId : System.NullReferenceException,Veeam.Backup.PowerShell.Cmdlets.SetVBRCredentials

Anyone got the same error ?

Veeam version 9.5 UPdate 4b

Thierry

[chris.arceneaux]

Welcome to the Veeam forums Thierry!

I can confirm this behavior and it is not as expected. I'll follow-up internally to have this addressed. Thanks for posting!

[ThierryKL]

Hello Chris,

thank you for passing on the problem

Regards.
Thierry

[veremin]

We're investigating this internally. Will update the topic, once I have more information.

[veremin]

Confirmed to be a bug with standard (Windows) credentials; will be fixed in the next product update. Thanks!

[ThierryKL]

Thank You veremin,

So we have to wait

Regards

[jenreovh]

Hello

We have the same bug, but what do you mean by "standard (Windows) credentials", is there a workaround before the availability of the update?

jean-rémy

[chris.arceneaux]

Welcome to the Veeam forums jean-rémy!

what do you mean by "standard (Windows) credentials"

When you're creating credentials in the Veeam Backup & Replication Console, you'll notice there are 3 different types:





A standard type is used for inputting Windows credentials.

is there a workaround before the availability of the update?

Please open a case with Veeam support so they can further assist you.

[jenreovh]

Thank you , i'll ask for support so .