AD Protected User can't use Veeam Console remotely

Jan 10, 2019 3:25 pm

Hi,
Is it expected behaviour that an Active directory user who is in the "Protected Users" group is unable to connect to Veeam Backup and Replication server when launching console from a remote server?
"Failed to connect to Veeam Backup & Replication Server: The logon attempt failed"
NB As soon as user account is removed from "Protected Users" you are able to connect.
TIA

Post by **foggy** » Jan 10, 2019 4:44 pm this post

Most likely it is NTLM authentication, which is not allowed for "Protected Users" group members while required when connecting remotely. We will add this note to the corresponding documentation section, thanks for the heads up!

hke · Post by **hke** » Oct 08, 2019 11:56 am this post

Will this issue (lack of Kerberos support for console connections) be fixed or just documented?

As you know, NTLM authentication is much weaker than Kerberos and protecting critical backup assets from passed hashes and other exploits is a top priority for many customers.

Post by **foggy** » Oct 11, 2019 2:38 pm this post

Yes, we have a requirement to support Kerberos-only authentication for backup infrastructure connections logged for the future versions.

AOK-BV · Post by **AOK-BV** » Feb 04, 2021 4:02 pm this post

+1
We have the same issue.

komzolkin · Post by **komzolkin** » Mar 28, 2021 4:23 pm this post

foggy wrote: ↑Oct 11, 2019 2:38 pm Yes, we have a requirement to support Kerberos-only authentication for backup infrastructure connections logged for the future versions.

+1 for the FR

hke · Post by **hke** » Apr 16, 2021 10:22 am this post

Any update on this? Veeam (and all other backup systems) are prime targets for ransomware operators. Protected Users group (i.e., Kerberos-only logins) is a frequently-recommended protection for admin accounts.

The way things stand now, you can't have a very secure admin ID if you also use Veeam (from anywhere other than the VBR server - which raises even more security issues).

Post by **Vitaliy S.** » Apr 19, 2021 12:41 pm this post

Hi hke,

The update is the following > currently, we are in the investigation stage (what is required from the RnD team standpoint to support it). As to when Kerberos support will be added to the product, then I cannot share any ETA yet.

Thanks!

rvjr · Post by **rvjr** » Mar 19, 2022 11:04 pm this post

Ping... any update on this? As far as I can see it's still not working in the latests v11.

Post by **Vitaliy S.** » Mar 21, 2022 9:41 am this post

Hi Rainer,

Yes, you're correct. This functionality is not part of the v11 release. Plans are to introduce this functionality (Kerberos support) in our next major versions.

Thanks!

joebranca · Post by **joebranca** » May 17, 2022 5:49 pm this post

Did I hear right that Kerberos only authentication is confirmed included in v12?

Post by **Vitaliy S.** » May 18, 2022 10:09 am this post

Yes, that's correct > NTLM and Kerberos

R&D Forums

AD Protected User can't use Veeam Console remotely

Re: AD Protected User can't use Veeam Console remotely

Re: AD Protected User can't use Veeam Console remotely

Re: AD Protected User can't use Veeam Console remotely

Re: AD Protected User can't use Veeam Console remotely

Re: AD Protected User can't use Veeam Console remotely

Re: AD Protected User can't use Veeam Console remotely

Re: AD Protected User can't use Veeam Console remotely

Re: AD Protected User can't use Veeam Console remotely

Re: AD Protected User can't use Veeam Console remotely

Re: AD Protected User can't use Veeam Console remotely

Re: AD Protected User can't use Veeam Console remotely

Who is online