-
- Veteran
- Posts: 291
- Liked: 25 times
- Joined: Mar 23, 2015 8:30 am
- Contact:
Single Sign On for the Enterprise Manager
Hi
Is there a way to allow Single Sign on for the Enterprise Manager? Our users do not know their AD password, because we login with smartcard and PIN to our workstations and all our webapplication use some sort of Single Sign On, usually SAML 2.0 or Kerberos. We do not want all operators accessing the Veeam backup console, thus they will have the Entprise manager webinterface, but currently they are not able to logon, because they don't now their AD password. How can I enable Single Sign On for the Enterprise portal? I tried to make the necessary changes on the IIS, where the Enterprise manager runs, to allow Kerberos authentication, but was unsuccessful, the login page appears anyway.
thx,
sandsturm
Is there a way to allow Single Sign on for the Enterprise Manager? Our users do not know their AD password, because we login with smartcard and PIN to our workstations and all our webapplication use some sort of Single Sign On, usually SAML 2.0 or Kerberos. We do not want all operators accessing the Veeam backup console, thus they will have the Entprise manager webinterface, but currently they are not able to logon, because they don't now their AD password. How can I enable Single Sign On for the Enterprise portal? I tried to make the necessary changes on the IIS, where the Enterprise manager runs, to allow Kerberos authentication, but was unsuccessful, the login page appears anyway.
thx,
sandsturm
-
- Veteran
- Posts: 298
- Liked: 85 times
- Joined: Feb 16, 2017 8:05 pm
- Contact:
Re: Single Sign On for the Enterprise Manager
Have you looked at this KB doc? https://www.veeam.com/kb2089
-
- Veteran
- Posts: 528
- Liked: 144 times
- Joined: Aug 20, 2015 9:30 pm
- Contact:
Re: Single Sign On for the Enterprise Manager
It should just be a matter of the site being in the Intranet Zone in Internet Explorer, and IE should pass your current Windows credentials to IIS.
-
- Veteran
- Posts: 291
- Liked: 25 times
- Joined: Mar 23, 2015 8:30 am
- Contact:
Re: Single Sign On for the Enterprise Manager
I don't understand the steps in https://www.veeam.com/kb2089. I don't want a formbased authentication, I want to pass through windows credentials to the website with Kerberos (NTLM is not allowed in our company). If i set WindowsAuth=false, as described in this KB, an SSO login will no be possible any more, or am I wrong?
The site i in the intranet zone within IE settings, but we usually use chrome browser, is there a similar setting there?
The site i in the intranet zone within IE settings, but we usually use chrome browser, is there a similar setting there?
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Single Sign On for the Enterprise Manager
Hello, SAML 2.0 support for the Enterprise Manager is planned for the next product release. Please stay in touch with your Veeam technical sales rep if you want to participate in beta, to ensure that our implementation will fit your needs. Thanks!
-
- Veteran
- Posts: 291
- Liked: 25 times
- Joined: Mar 23, 2015 8:30 am
- Contact:
Re: Single Sign On for the Enterprise Manager
Hi
Thanks for the answer. Besides the upcoming SAML 2.0 support, is there a way to do it via standard Windows SSSO (Kerberos)? The Enterprise Manager runs on a MS IIS and the Kerberos implementation in this case would be the easiest, if the application supports it?
thx,
sandsturm
Thanks for the answer. Besides the upcoming SAML 2.0 support, is there a way to do it via standard Windows SSSO (Kerberos)? The Enterprise Manager runs on a MS IIS and the Kerberos implementation in this case would be the easiest, if the application supports it?
thx,
sandsturm
-
- Product Manager
- Posts: 14844
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Single Sign On for the Enterprise Manager
Hello,
I tried it out at a customer environment that should be similar to yours (only smartcards + pin. no passwords for users).
Officially we only support NTLM today but I hoped it would work to just change the authentication mechanisms in IIS. Which settings did you configure? I only saw several hints that one should take care about the SPN.
Best regards,
Hannes
I tried it out at a customer environment that should be similar to yours (only smartcards + pin. no passwords for users).
Officially we only support NTLM today but I hoped it would work to just change the authentication mechanisms in IIS. Which settings did you configure? I only saw several hints that one should take care about the SPN.
Best regards,
Hannes
-
- Veteran
- Posts: 291
- Liked: 25 times
- Joined: Mar 23, 2015 8:30 am
- Contact:
Re: Single Sign On for the Enterprise Manager
The IIS settings are as following in our case:
- disable all authentication types, except windows authentication for the website (or the webserver)
- set authentication providers on "Negotiate:Kerberos" and remove the other ones
- uncheck the box for "Enable kernel mode authentication in Authentication/Advanced settings
- enable windows authentication, if not already done for the website (or the webserver)
- modify SSL settings von website and check the box "Require SSL"
- remove port 9080 from Port bindings of the website
- change port 80 for DefaultWebsite to local access only
- run the IIS application pool with a Active directory service account
- Create an spn for the above service account for the URL you want to use to access the Enterprise manager: setspn -s HTTP/EM_URL_FQDN domain\serviceaccount
- set useAppPoolCredentials = True in configuration editor of veeam website in path: system.webServer/security/authentication/windowsAuthentication
with these settings, a Kerberos authentication is possible if the application supports it
- disable all authentication types, except windows authentication for the website (or the webserver)
- set authentication providers on "Negotiate:Kerberos" and remove the other ones
- uncheck the box for "Enable kernel mode authentication in Authentication/Advanced settings
- enable windows authentication, if not already done for the website (or the webserver)
- modify SSL settings von website and check the box "Require SSL"
- remove port 9080 from Port bindings of the website
- change port 80 for DefaultWebsite to local access only
- run the IIS application pool with a Active directory service account
- Create an spn for the above service account for the URL you want to use to access the Enterprise manager: setspn -s HTTP/EM_URL_FQDN domain\serviceaccount
- set useAppPoolCredentials = True in configuration editor of veeam website in path: system.webServer/security/authentication/windowsAuthentication
with these settings, a Kerberos authentication is possible if the application supports it
-
- Product Manager
- Posts: 14844
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Single Sign On for the Enterprise Manager
Hello,
I got a YubiKey from the customer for testing and I worked in my lab "in most cases", but not 100%
- Anonymous Authentication: Enabled (no idea why, but it was required)
- ASP.net impersonation: disabled
- Forms Authentication: disabled
- Windows Authentication: enabled (worked with following options: "Negotiate:Kerberos" only, "Negotiate + NTLM", "Negotiate" only
- no additional SPN settings, IIS runs with default settings
The problem I faced was that is does not work 100%. Sometimes after reboot it just fails. Then I restarted the "VeeamBackup" website and it worked again. I tested Windows 10 with IE (latest patch level) where I always cleared the browser cache. The FQDN was a "trusted site".
Not sure whether that helps.
Best regards,
Hannes
I got a YubiKey from the customer for testing and I worked in my lab "in most cases", but not 100%
- Anonymous Authentication: Enabled (no idea why, but it was required)
- ASP.net impersonation: disabled
- Forms Authentication: disabled
- Windows Authentication: enabled (worked with following options: "Negotiate:Kerberos" only, "Negotiate + NTLM", "Negotiate" only
- no additional SPN settings, IIS runs with default settings
The problem I faced was that is does not work 100%. Sometimes after reboot it just fails. Then I restarted the "VeeamBackup" website and it worked again. I tested Windows 10 with IE (latest patch level) where I always cleared the browser cache. The FQDN was a "trusted site".
Not sure whether that helps.
Best regards,
Hannes
-
- Veteran
- Posts: 291
- Liked: 25 times
- Joined: Mar 23, 2015 8:30 am
- Contact:
Re: Single Sign On for the Enterprise Manager
Hi Hannes
thanks for the reply.
as long as you have anonymous authentication enabled, you have no authentication in fact, so this will work of course but users are then not authenticated....
thx
sandsturm
thanks for the reply.
as long as you have anonymous authentication enabled, you have no authentication in fact, so this will work of course but users are then not authenticated....
thx
sandsturm
-
- Product Manager
- Posts: 14844
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Single Sign On for the Enterprise Manager
I though the same, but I must have been authenticated somehow as I could only see the VMs I have permissions to. With "no authentication" (from PC that is not in the domain) I just get the login screen username / password.
But maybe I'm totally wrong
But maybe I'm totally wrong
-
- Veteran
- Posts: 291
- Liked: 25 times
- Joined: Mar 23, 2015 8:30 am
- Contact:
Re: Single Sign On for the Enterprise Manager
Yes, you see only your VM's because of the authorization from Veeam itself... but the authentication is not solved, or am I wrong?
maybe someone can bring some bright into this darkness
maybe someone can bring some bright into this darkness
-
- Product Manager
- Posts: 14844
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Single Sign On for the Enterprise Manager
If it was stable I would say "the result is important no matter who does the job"Yes, you see only your VM's because of the authorization from Veeam itself.
As mentioned earlier, SAML support is planned for the next version - in the meantime I see no way for Kerberos SSO.but the authentication is not solved, or am I wrong?
-
- Veteran
- Posts: 291
- Liked: 25 times
- Joined: Mar 23, 2015 8:30 am
- Contact:
Re: Single Sign On for the Enterprise Manager
okay, thank you for your answer
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Aug 21, 2019 11:25 am
- Contact:
Re: Single Sign On for the Enterprise Manager
Which version of Enterprise Manager is SAML support planned for?
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
-
- Service Provider
- Posts: 15
- Liked: never
- Joined: Jul 23, 2019 9:16 am
- Full Name: Chris McDonnell
- Location: London, UK
- Contact:
Re: Single Sign On for the Enterprise Manager
Did this make v10?
-
- Product Manager
- Posts: 14844
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
-
- Service Provider
- Posts: 15
- Liked: never
- Joined: Jul 23, 2019 9:16 am
- Full Name: Chris McDonnell
- Location: London, UK
- Contact:
Re: Single Sign On for the Enterprise Manager
Cool. Thanks
-
- Veteran
- Posts: 291
- Liked: 25 times
- Joined: Mar 23, 2015 8:30 am
- Contact:
Re: Single Sign On for the Enterprise Manager
I'm just trying to configure SAML for Enterprise Manager with V11 and I need a little bit more detail in the documentation. Page https://helpcenter.veeam.com/docs/backu ... ml?ver=110 has a chapter "Specifying Advanced SAML Authentication settings" and there the steps 5 and 6:
Rest of the SAML documentation is really straightforward and easy to follow, if these two steps will have also a little bit more detail, maybe it not just helps me alone
thx
sandsturm
Not sure, if someone can use the explanation of these two points, but for me they are not really helpful. Concerning step 5 I want to now the difference between the four options. Same for step 6: Maybe some examples could help or a little bit more documentation to this step could be really helpful.5. From the Authentication context comparison list, select a comparison method for authentication context: Exact, Minimum, Maximum or Better.
6. From the Authentication context class list, select one of the classes to specify an authentication method used by the Identity Provider. For example, for VMware Platform Services Controller, select PasswordProtectedTransport. By default, the Password option is selected.
Rest of the SAML documentation is really straightforward and easy to follow, if these two steps will have also a little bit more detail, maybe it not just helps me alone
thx
sandsturm
-
- Product Manager
- Posts: 20415
- Liked: 2302 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: Single Sign On for the Enterprise Manager
5) You can find some information here
6) In SAML there are two main concepts:
- A service provider - something that needs the authentication from the identity provider to grant authorization to the user
- An identity provider - something that performs this authentication and confirms its status to service provider
In our example, Enterprise Manager servers the role of service provider, as it passes authentication requests to side service (identity provider). Depending on service implementation, identity provider might use different authentication methods, and here you need to specify the one that is relevant to your identity provider.
Thanks!
6) In SAML there are two main concepts:
- A service provider - something that needs the authentication from the identity provider to grant authorization to the user
- An identity provider - something that performs this authentication and confirms its status to service provider
In our example, Enterprise Manager servers the role of service provider, as it passes authentication requests to side service (identity provider). Depending on service implementation, identity provider might use different authentication methods, and here you need to specify the one that is relevant to your identity provider.
Thanks!
Who is online
Users browsing this forum: Bing [Bot] and 53 guests