Failed to send certificate, but certificate is required for remote agent management

[psych]

Hello, so as my title says, I have problem adding Microsoft Windows Server 2016 Essentials with AD configured as backup machine. Error that I`m getting:

Code: Select all

Failed to send certificate, but certificate is required for remote agent management Error: The function requested is not supported

What kind of certificate it wants? I have two more linux machines properly running with Veeam Agent installed. Also I have tried to renew Veeam certificate, but it doesnt work. Attaching photo of error


Error in log:

Code: Select all

[17.04.2020 13:41:27] <225> Error    Unable to establish authenticated client-server connection.
[17.04.2020 13:41:27] <225> Error    Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. (System.IO.IOException)
[17.04.2020 13:41:27] <225> Error       at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
[17.04.2020 13:41:27] <225> Error       at System.Net.StreamFramer.ReadMessage()
[17.04.2020 13:41:27] <225> Error       at System.Net.Security.NegoState.StartReceiveBlob(LazyAsyncResult lazyResult)
[17.04.2020 13:41:27] <225> Error       at System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult lazyResult)
[17.04.2020 13:41:27] <225> Error       at System.Net.Security.NegotiateStream.AuthenticateAsServer(NetworkCredential credential, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel requiredImpersonationLevel)
[17.04.2020 13:41:27] <225> Error       at Veeam.Backup.Service.CForeignInvokerServer.AuthenticateAsServer4Negotiate(Socket socket, WindowsIdentity& identity)
[17.04.2020 13:41:27] <225> Error    An existing connection was forcibly closed by the remote host (System.Net.Sockets.SocketException)
[17.04.2020 13:41:27] <225> Error       at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)

[Egor Yakovlev]

Hi Eimantas,
Your screenshot does not look like Veeam Agent UI. Is it from Veeam Backup & Replication server?
If so, I see backup agent was detected on your windows server, was it installed manually using standalone agent?
/Thanks!

[psych]

It`s definately from Veeam Backup & Replication server Maybe it looks like not from it because it`s just part of the table without al lthat green bars. At first I have installed it manually, then updated my Veeam Backup & Replication server, and it automatically updated agent.
EDIT: Just to be sure, tried remove client and reinstall from VEEAM console:

[Egor Yakovlev]

Can you also check Veeam Certificates:

- on VBR Server (Type 'Manage User Cert' into the search of the Windows start menu. Select the 'Trusted Root Certificate' folder, then the 'Certificate' folder and scroll down to the Veeam Backup & Replication certificate)
- on Windows Server (Type 'MMC' into the search of the Windows start menu. Once open, select 'File > Add plugins' , then select 'Local Account', 'Certificate > Add'. Then 'Certificates' folder, and 'Personal')

Both certificates should share the expiration date. If they are different, delete one from Windows Server and rescan agent from VBR Console again.Thanks!

[psych]

Sorry for late respond, I have tried your method, but actually on windows server on "MMC" I cant add local account as it`s domain controller. Anyways, I have checked User and Computer certificates, and in machine crtificates I have Veeam certificates, but in User Certificates I have no Veeam certificates, so I just have exported and imported these certificates but still no luck...

[Egor Yakovlev]

Hi Eimantas,

Here are 2 more checks for you:

- On your Windows Server, check "netstat -b" if you have anything but Veeam is listening on local port :6184. If some app took our default communications port, we will work over next one, 6185, which will need a firewall allow rule as well.
- Last but not least, check local policies under "Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options" on both servers(Windows agent + VBR). Following keys should be in NotConfigured\AllowAll state: [Network security: LAN Manager authentication level], [Restrict NTLM: Incoming traffic], [Restrict NTLM: Outgoing traffic].

/Thanks!

[psych]

- With netstat -b i see no service running on port 6184 or 6184, but with netstat -a i can see as folows: TCP 0.0.0.0:6184 BiopartnerSrv:0 LISTENING
- Second step have helped!!! So if anybody will have the same problem, my Veeam Agent system is Windows Server 2016 Essentials, and under Local Security Policy "Local Policies/Security Options/Network Security: Restrict NTLM: Incomin NTLM traffic" I had Deny All Acounts, so just switched to Allow All as Egor said it magic appeared. Thank you very much!

[Egor Yakovlev]

Great news, Eimantas! Thanks for updating the thread with your results!
/Cheers!

[kmbundgaard]

Hi!

I had a similar problem with a customer, is it possible to have the information logged in the logfile which port that the VBR is trying to connect to the host, as it took us some time to find out that it was trying on port 6185 instead of 6184, and port 6184 is also not mentioned in our documentation about used ports that needs to be opened.

Thanks!

Karsten

[sfarr9]

Thanks Egor. I encountered the same issue but in fact was able to get it working by just backing off the NTLMv2 auth level only one step. We were set for "Send NTLMv2 Only, Refuse LM/NTLM" and it was broken. Now it's set to "Send NTLMv2 Only, Refuse LM" and it works.

Separately, as a point for the Veeam developer team, can you please update the product to not have a dependency on NTLMv1? That is a really old technology that we shouldn't be using anymore!

[Egor Yakovlev]

Thanks for feedback.
We have it on track to improve in future versions and I will add your voice!
/Cheers!