Veeam NAS Backup NetApp Kerberos Issue

[MatzeB]

Hi,

in the last weeks we had two support cases for a Veeam NAS Backup Issue, it was Case 07426619 and 07495374.
We tried to use the NAS backup function with NetApp integration to backup CIFS file shares. Every time we did this we received an Access Denied Username or Password Incorrect error message.
After many hours of troubleshooting, it turned out that the backup via the simple NAS backup, i.e. without storage integration with UNC path \\Fileserver\ShareXY works. However, backing up the same share with integration and the same user did not.
So at the beginning we also suspected the NetApp service account, but since snapshot creation, storage rescan etc. ran smoothly, we were able to exclude this.

Finally, we discovered in the Veeam log files that Veeam accesses the share differently when backing up with and without storage integration.

Direct access / Simple NAS backup:
[NasBackup] Backup spec: ‘RestorePointId “3”, RootLink, “\\fileserver\data”,

With Netapp integration:
[NasBackup] Backup spec: ‘RestorePointId “5”, RootLink, ’\\10.10.120.150\data


Since the customer hardened the NetApp according to best practice, NTLMv2 was disabled on the NetApp, so it could only be accessed via Kerberos. No problem for the Simple NAS Backup, as the hostname was used here.
The IP is used for storage integration, but Kerberos can't use IP by default. Then I realized what was happening, Veeam simply asks the NetApp for the IPs in the background and tries to access them, but this fails.

With a workaround, i.e.

Code: Select all

setspn -S HOST/ip.address AD_Object

with the IP address of the filer and a registry key, you can get the setup to work.

https://learn.microsoft.com/en-us/windo ... os-over-ip

Here is my feature request:
a) I have not found any information about this in the documentation. If there is really nothing here, there should be a note
b) Veeam could simply do a reverse DNS lookup and then access via DNS OR you could make a field in the storage/NAS backup job for ‘Type FQDN of Fileserver here’.

Even with the support we needed many days until we found the cause...

Best regards
Matze

[Dima P.]

Hello Matze,

We will investigate this issue with RnD folks. Thank you for your feedback and Happy New Year!

[MatzeB]

Hi Dima, any news for this? Yesterday i run into the same issue - yes now i know how to "workaround" but a better native behaviour would be nice.

Regards
Matze

[ungruha]

After creating a ticket (07713942) I was asked to create a forum post marked as feature request (I hope I´m doing this the right way).

So my problem is, that we need to turn off NTLMv2 for security reasons. So our proxy servers are no longer able to use ntlm(v1/v2) and use kerberos properly.
However, when performing a backup of a NAS Filer (NetApp) I am not able to perform that specific task.

Environment:
- Veeam B&R 12.3.2.3617 (running on Windows Server 2022)
- NAS Proxy Server (running on Windows Server 2025)
- NetApp AFF as NAS Filer running in Metrocluster Configuration
-- Cluster is added as NDMP Server for Tape Backup purposes
-- Cluster is added in Storage Infrastructure for VMware vSphere Backup purposes
-- Cluster is added as NAS Filer (adding specific NAS Filer storage vm is not allowed)

Expected behaviour:
- NAS Filer backup via storage snapshot is possible via kerberos authentication

Actual behaviour:
- Backup fails to authenticate with error message "<date and timestamp> :: Error: Agent: Failed to process method {NasMaster.CreateBackupProcessor}: Authentication failed because NTLM authentication has been disabled."

Probable cause:
- Veeam tries to contact the cluster instead of the storage vm and therefore the authentication fails. Adding the storage vm in NAS Filer section should solve this problem, but fails due to certificate errors ("You cannot have both the cDOT cluster and its SVMs registered with Veeam Backup and Replication at the same time.").

[Mildur]

Hi ungruha,

Welcome to the forum.
I have moved your request to an existing topic regarding the same situation: "NTLM2 disabled for security reasons".

I saw that support provided you with an option, but I think Matthias’s approach is safer than the two registry keys you received from support. Maybe you can give it a try.

Best,
Fabian