Comprehensive data protection for all workloads
Jim_eHealth
Lurker
Posts: 2
Liked: never
Joined: Jan 28, 2020 9:07 pm
Full Name: Jim
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by Jim_eHealth »

I am shocked that Veeam - being an enterprise BCDR solution, does not support GMSA's. I can't believe this. This is absolutely critical that this be implemented ASAP. Any environment that cares at all about security will require password expiration on all domain accounts. We will be forced to find a new BCDR solution for hundreds of VM's if this is not implemented very soon, this is a critical security flaw as far as we are concerned.
HannesK
Product Manager
Posts: 14840
Liked: 3086 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by HannesK » 2 people like this post

Hello,
and welcome to the forums. Yes, it's something we want to do (the request comes up more and more often, also internally). But I cannot give you a timeline yet.

Best regards,
Hannes
Yismail
Lurker
Posts: 2
Liked: 2 times
Joined: Feb 25, 2020 12:19 am
Full Name: Yousef ismail
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by Yismail » 1 person likes this post

Lol, the amusing part is that this thread been open since 2015 and the veeam support keep saying they either looking into it or working on it. Take your time guys, what's another 5 years...
HannesK
Product Manager
Posts: 14840
Liked: 3086 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by HannesK »

Hello Yismail,

Keep in mind we have to decide between many hundreds (literally) of pending feature requests for each version. And from more than 365.000 Veeam customers customers, there is only a few who will be using this feature... so choosing other features over this one for many years makes sense for the majority of our customers.

Best regards,
Hannes
Yismail
Lurker
Posts: 2
Liked: 2 times
Joined: Feb 25, 2020 12:19 am
Full Name: Yousef ismail
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by Yismail » 1 person likes this post

Hello Hannah,
The thing is this not a feature, this a huge security concern to your clients who are concerned about security in an age where service accounts targetd to compromise organization. Anyways it doesn't really matter, you do you guys.
patrick.fist
Lurker
Posts: 2
Liked: 1 time
Joined: Mar 26, 2020 8:47 pm
Full Name: Patrick Fist
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by patrick.fist » 1 person likes this post

I have the request to implement gMSA to get my company covered for a cyber risk insurance.
Leading vm backup solution provider veeam, does not support it. So sad. Time to evaluate alternatives.

Push!
Grime121
Influencer
Posts: 19
Liked: 1 time
Joined: Apr 10, 2020 6:02 pm
Full Name: Evan
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by Grime121 »

We need to be able to use gMSAs with Veeam, too. At the very least we should be able to use a gMSA for running the Veeam services.... I'm trying to perform a fresh install on a new VM that we are replacing are primary backup server with, and it tells me that the username/password is incorrect. I assume this is just because the password field is empty (which it should be for a gMSA). Other than removing that check during the setup, I bet there isn't much that would have to be changed to get gMSAs working as service accounts. This really should be added ASAP. The ability to use gMSAs for guest indexing seems quite important, too.
Gostev
Chief Product Officer
Posts: 31814
Liked: 7302 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by Gostev »

Hi, Evan. We will check why our setup does not accept these accounts. However, did you consider instead simply changing the Veeam services to use gMSA after the product has been installed using regular accounts?
Grime121
Influencer
Posts: 19
Liked: 1 time
Joined: Apr 10, 2020 6:02 pm
Full Name: Evan
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by Grime121 »

I have considered that, but I was afraid there was more required than simply changing the accounts that the services run underneath. Manually changing the service accounts for a simple service is one thing. Changing the service accounts for services that run an application as complicated as Veeam is entirely different. Are there references to the service accounts in other places? Is Veeam’s current position that changing the service accounts on the Veeam services to run under a gMSA will not cause any issues with the software, as long as the gMSA has the necessary SQL permissions? Does the gMSA also need to be a local admin?

One big issue that I foresee is that the Veeam service account appears to require interactive login permissions. Or at least, when I tried to use an AD account as the Veeam service account that was denied interactive login permissions, I received an error during setup that said “the service account cannot be impersonated”. gMSAs are not allowed to perform interactive logins. Whether Veeam requires interactive logins only during the setup process (to impersonate the user account during setup), I do not know. Do the service(s) also impersonate the user account when the service(s) is/are running under the account?

As you can see, there are a lot of reasons for me to be hesitant to change the Veeam services to run under a gMSA. Are you telling me that these things that I am concerned about should not be an issue, and that simply changing the services to run underneath a gMSA should work?
Gostev
Chief Product Officer
Posts: 31814
Liked: 7302 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by Gostev »

To be honest, I don't know as I never tested this. Specifying those accounts manually in the service settings simply looked like a simple solution to the fact that setup does not "understand" gMSA account. It may just work, or there could be other barriers, as you mention.

Normally, our services should use batch logon, as opposed to interactive logon.

The gMSA does need to be a local admin for sure though.
poulpreben
Certified Trainer
Posts: 1025
Liked: 448 times
Joined: Jul 23, 2012 8:16 am
Full Name: Preben Berg
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by poulpreben »

Interaction with repositories and guests are probably the most important candidates for this feature. However, it isn't possible to add accounts with empty passwords to the credentials manager – neither via GUI or PowerShell. Allowing it via PowerShell would be acceptable since configuring gMSAs require PowerShell anyway.

Code: Select all

 Add-VBRCredentials -User "int\gmsatest" -Password "" -Description "gMSA with empty password"
Add-VBRCredentials : Specify non-empty password
At line:1 char:1
+ Add-VBRCredentials -User "int\gmsatest" -Password "" -Description "gM ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Add-VBRCredentials], Exception
    + FullyQualifiedErrorId : System.Exception,Veeam.Backup.PowerShell.Cmdlets.AddVBRCredentials
So, it might be possible to change so that Veeam Backup Service and its interaction with SQL Server use a gMSA, but personally I do not think that is largest attack vector to worry about.
Gostev
Chief Product Officer
Posts: 31814
Liked: 7302 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by Gostev » 2 people like this post

Gostev wrote: Apr 13, 2020 12:42 pmTo be honest, I don't know as I never tested this. Specifying those accounts manually in the service settings simply looked like a simple solution to the fact that setup does not "understand" gMSA account. It may just work, or there could be other barriers, as you mention.
Just to follow up on this, we tested the workaround for Veeam Backup Service specifically, and everything appears to work fine with setting its service account to gMSA manually. So, just specify some temporary account in the setup program, then come back and change it in the Services snap-in. Thanks!
cahayden
Novice
Posts: 3
Liked: 1 time
Joined: May 14, 2020 7:21 pm
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by cahayden »

I would also like to see support for gMSA support in Veeam backup jobs.
prohand
Novice
Posts: 9
Liked: never
Joined: Jul 15, 2016 5:24 pm
Full Name: Kevin
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by prohand »

+1, it's great feature
ntwrkadmn
Novice
Posts: 3
Liked: never
Joined: Apr 03, 2019 3:54 pm
Full Name: Tom
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by ntwrkadmn »

+1 for gMSA support
Gostev
Chief Product Officer
Posts: 31814
Liked: 7302 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by Gostev » 3 people like this post

We're researching and prototyping this now.
IVC-lloyd
Lurker
Posts: 1
Liked: never
Joined: Aug 07, 2020 12:27 pm
Full Name: Lloyd Smart
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by IVC-lloyd »

Adding my vote - I could make my setup so much more secure with this!
l.scotti
Novice
Posts: 9
Liked: never
Joined: Feb 15, 2019 8:59 am
Full Name: Ludovic SCOTTI
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by l.scotti »

Gostev wrote: Jul 29, 2020 10:18 pm We're researching and prototyping this now.
included in V11 ?
Gostev
Chief Product Officer
Posts: 31814
Liked: 7302 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by Gostev » 1 person likes this post

No. It was fully implemented by devs some months ago, but due to lack of QC resources we could not include it in v11. Too many other new features already...
Zew
Veteran
Posts: 377
Liked: 86 times
Joined: Mar 17, 2015 9:50 pm
Full Name: Aemilianus Kehler
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by Zew » 1 person likes this post

Ooooo sooo close. :D Exciting. Thanks for the update.
ohaine
Lurker
Posts: 1
Liked: never
Joined: Feb 05, 2021 9:56 am
Full Name: Oli Haine
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by ohaine »

Tomorrow we will celebrate the 6th anniversary of this security Feature Request....................

This proves without a single doubt that Security is not part of VEEAM's priorities at all.

OLi
Gostev
Chief Product Officer
Posts: 31814
Liked: 7302 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by Gostev » 11 people like this post

So tell me this then. That last time you did not buy some toy your kids asked you for... does this also prove they are "without a single doubt not a part of your priorities at all"? Even after all those hundreds of other presents you bought them, and thousands of hours you spent nurturing them since they were born?

You'd probably be very upset if someone told you this, but somehow you think it's fine to make the exact same invalid generalization about someone else's baby? :D
AC82
Novice
Posts: 4
Liked: 2 times
Joined: Jan 11, 2017 10:25 am
Full Name: Andreas Cremer
Location: Germany
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by AC82 » 1 person likes this post

+1 for gMSA support. Thanks in advance!
bpr-backup
Novice
Posts: 8
Liked: never
Joined: Jan 29, 2016 5:29 pm
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by bpr-backup »

We need gMSA as well.
Cynrik
Influencer
Posts: 11
Liked: never
Joined: May 11, 2018 10:05 am
Full Name: Thomas
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by Cynrik »

+1 for gMSA support
Zew
Veteran
Posts: 377
Liked: 86 times
Joined: Mar 17, 2015 9:50 pm
Full Name: Aemilianus Kehler
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by Zew »

Gostev, I don't disagree with you on that one. Such as Hardened Repos, and many other advancements. That's not to take aware from the fact this has been a VERY long time request, that MANY have asked for. It should be given a bit higher priority as it doesn't seem to becoming to fruition.

It's kind of like that boss that says thanks and your hard work will be compensated soon. Sayin' something is nice, but providing it is much better.
Gostev
Chief Product Officer
Posts: 31814
Liked: 7302 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by Gostev »

Zew wrote: Mar 29, 2021 3:54 pmThat's not to take aware from the fact this has been a VERY long time request, that MANY have asked for. It should be given a bit higher priority as it doesn't seem to becoming to fruition..
It certainly would, if there were no other requests which were outstanding for much longer, and asked about by many more people :)

Also, keep in mind that adding a feature requires developers from certain specific teams working with the affected components, not just from "a" team. While the team required for this functionality has been particularly busy in the last few releases with long-standing feature requests of much higher priority. Anyway, to be fair to them, they did manage to deliver the code just in time to include it into V11... but the issue then was our eternal lack of QC resources (especially this late in the release cycle).
Zew
Veteran
Posts: 377
Liked: 86 times
Joined: Mar 17, 2015 9:50 pm
Full Name: Aemilianus Kehler
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by Zew »

100% understand and agree, thanks for the insight.
moquai2020
Novice
Posts: 4
Liked: never
Joined: Feb 19, 2020 9:23 am
Full Name: Thomas Kuster
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by moquai2020 »

+1 for gMSA support
In a large company we have to change the password of a service account in very short periods. gMSA would help us a lot to decrease the management time for Veeam B&R.
The BackupMan
Novice
Posts: 7
Liked: never
Joined: Feb 02, 2018 8:32 am
Full Name: Niek Wegh
Contact:

Re: Feature request - Managed Service Accounts. MSA and GMSA

Post by The BackupMan »

+1 for gMSA support
We are using gMSA already within our Windows environments and the Veeam SA accounts will be the next ones to go gMSA.
Please hurry up with this support feature!
Post Reply

Who is online

Users browsing this forum: Google [Bot] and 73 guests