-
- Service Provider
- Posts: 90
- Liked: 23 times
- Joined: Feb 09, 2019 5:06 pm
- Contact:
Unable to add gMSA to managed server
Hello,
upon trying gMSAs with Kerberos, most of it works ok (Guest Processing), however we are unable to add Hyper-V Hosts and managed servers processing under gMSA because the selection dialog only wants standard account.
upon trying gMSAs with Kerberos, most of it works ok (Guest Processing), however we are unable to add Hyper-V Hosts and managed servers processing under gMSA because the selection dialog only wants standard account.
-
- Product Manager
- Posts: 14648
- Liked: 2990 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Unable to add gMSA to managed server
Hello,
yes, because gMSA accounts are only supported for application aware image processing. Not for infrastructure / managed servers.
Best regards,
Hannes
yes, because gMSA accounts are only supported for application aware image processing. Not for infrastructure / managed servers.
Best regards,
Hannes
-
- Veteran
- Posts: 465
- Liked: 136 times
- Joined: Jul 16, 2015 1:31 pm
- Full Name: Marc K
- Contact:
Re: Unable to add gMSA to managed server
Is this a limitation of gMSAs themselves, or just more work needs to be done in B&R? It seems like gMSAs should work for administrative inventory tasks.
I almost told the team here that the recent vulnerability is a perfect example of why to move to gMSAs. That would have been embarrassing when I would then have had to go back to them and say "whoops, can't actually do it".
I almost told the team here that the recent vulnerability is a perfect example of why to move to gMSAs. That would have been embarrassing when I would then have had to go back to them and say "whoops, can't actually do it".
-
- Service Provider
- Posts: 90
- Liked: 23 times
- Joined: Feb 09, 2019 5:06 pm
- Contact:
Re: Unable to add gMSA to managed server
Any plans to include this in the future releases?
-
- Product Manager
- Posts: 14648
- Liked: 2990 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Unable to add gMSA to managed server
no plans for now. when it comes to managed servers, then a mechanism that works for Windows and Linux in the same way would probably be more useful than having gMSA support.
-
- Enthusiast
- Posts: 38
- Liked: 4 times
- Joined: Nov 14, 2019 7:12 pm
- Full Name: Chris Lukowski
- Contact:
Re: Unable to add gMSA to managed server
Correct me if I'm reading this wrong, but wasn't the point of gMSA support to keep any kind of cached Domain Admin credential out of the Veeam database so that an attacker wouldn't be able to extract it? If gMSAs only work for AAP and you still need a Domain Admin account to back up Hyper-V servers is anything really solved?
-
- Product Manager
- Posts: 14648
- Liked: 2990 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Unable to add gMSA to managed server
Hello,
the goal was to support application aware processing.
For managed hosts, it would not really solve much because of the "files" section where a VBR administrator can do everything anyway (assuming four-eyes authorization is turned off).
Best regards,
Hannes
the goal was to support application aware processing.
For managed hosts, it would not really solve much because of the "files" section where a VBR administrator can do everything anyway (assuming four-eyes authorization is turned off).
Best regards,
Hannes
Who is online
Users browsing this forum: ahmad.alsabbah, Google [Bot], Semrush [Bot] and 31 guests