Unable to add gMSA to managed server

[SnakeSK]

Hello,

upon trying gMSAs with Kerberos, most of it works ok (Guest Processing), however we are unable to add Hyper-V Hosts and managed servers processing under gMSA because the selection dialog only wants standard account.

[HannesK]

Hello,
yes, because gMSA accounts are only supported for application aware image processing. Not for infrastructure / managed servers.

Best regards,
Hannes

[mkaec]

Is this a limitation of gMSAs themselves, or just more work needs to be done in B&R? It seems like gMSAs should work for administrative inventory tasks.

I almost told the team here that the recent vulnerability is a perfect example of why to move to gMSAs. That would have been embarrassing when I would then have had to go back to them and say "whoops, can't actually do it".

[SnakeSK]

Any plans to include this in the future releases?

[HannesK]

no plans for now. when it comes to managed servers, then a mechanism that works for Windows and Linux in the same way would probably be more useful than having gMSA support.

[StoopidMonkey]

Correct me if I'm reading this wrong, but wasn't the point of gMSA support to keep any kind of cached Domain Admin credential out of the Veeam database so that an attacker wouldn't be able to extract it? If gMSAs only work for AAP and you still need a Domain Admin account to back up Hyper-V servers is anything really solved?

[HannesK]

Hello,
the goal was to support application aware processing.

For managed hosts, it would not really solve much because of the "files" section where a VBR administrator can do everything anyway (assuming four-eyes authorization is turned off).

Best regards,
Hannes