[V13] Upcoming NTLM Deprecation, Discontinuation

[ENBS]

Hi,

i've read in the "whats new in V13 https://www.veeam.com/veeam_backup_13_whats_new__wn.pdf " that NTLM will be changed out in favor of Kerberos. As I'm currently testing the v13 appliance and having encountered Authproblems when trying to connect to SMB-Repositories not connected to an AD i'm wondering if this will also apply to the final V13 on windows?

We are running all our Hyperv-Hosts without a Domain on a seperate Network and even offsite where the firewall blocks the return-traffic ("run server on this side" helps here). We connect the Servers through IP or HOST-File-entrys. Will this be supported in the future?

[Egor Yakovlev]

Hi ENBS,

For Windows VBR, NTLM will remain available after upgrade. Just as today with V12, the choice between Kerberos and NTLM when both are available will be based on the OS settings, that is Veeam will use whatever protocol the OS is configured to use. Of course by default Kerberos has preference and overall we highly recommend that you start deprecating NTLM usage.

The software appliance on the other hand operates in FIPS certified mode and has DISA STIG hardening applied, which makes it impossible for us to use NTLM in principle.

P.S. Hyper-V communication without domain is not a problem for software appliance, you just need to use Veeam Deployment Kit.

[ENBS]

Hi Egor,

thanks for the reply. I'm glad to hear that the Windowsversion will still support it. Thanks for the clarification with the Appliance. I've tried to use the Deployment Kit and was able to add a standalone Windows-PC that way but i couldn't add an SMB-Share (there is no option for the certificate-auth)

Adding PC through certificate:





But adding the SMB-Share has no option:



or through the name



In an AD this works:





For this alone we won't be using the appliance any time soon. I know there are workarounds to use Kerberos with IPs but that's also not a very simple option. I wish Microsoft would allow this out-of-the-box. I know NTLM has to go but i can't always use an AD in every Installation.

Btw. The GUI-Login in the appliance says to use the windows-client if you use the community edition but as i see there is no community edition - version of the license. Is this a bug? For testing i use a 30-day-key now.

[Andreas Neufert]

The main point here is to use the full qualified domain name for the shares and ensure that all servers (Veeam and Sources) are fully resolvable by DNS. You do not need a domain then.

So you define a FQDN for the share and add it to forward and reverse zone in DNS.
Then add the FQDN on the servername to Veeam.

Example:
Share: //filername.acme.local/share1 on IP 192.168.0.1
DNS entry shoud then be a A record for this
filername.acme.local A 192.168.0.1
As well as adding it to the IP reverse lookup.

The Veeam Server
veeamserver.acme.local A 192.168.0.2
+ reverese lookup

The filer need to be configured for this FQDN as well.

Add all Veeam server that hold other roles in the same way.

You do not need to add it to the authentication domain in order to add it to the DNS.

Then add the share in the following way to Veeam: //filername.acme.local/share1

[marina.skobeleva]

Btw. The GUI-Login in the appliance says to use the windows-client if you use the community edition but as i see there is no community edition - version of the license. Is this a bug? For testing i use a 30-day-key now.

If you use any valid license (including an Evaluation license), you can test both the Web UI and the Remote Console (windows-client).
Thanks for catching this. Just to clarify, “Community Edition” means you have not installed any license key and in this mode only data recovery features are supported.

[ENBS]

@marina.skobeleva
Yes, i was under the impression that the appliance had a "community" aka "free" version because the web-gui said that the first time. I could only make restores. I see that there will be no community-edition because the appliance is targeted at enterprises.

@Andreas Neufert
Hmm, i tried solving this with the HOSTS file but that didn't turn out.




If i install a DNS-Server on windows, it would be not to far of to install the rest of an AD for me but i will try this with a linux-dns-server and see if this will get me somewhere.

Thanks!

[Andreas Neufert]

Sorry, the other side or Kerberos need to be configured as well with the correct DNS FQDN name, otherwise it will not work. So the filer needs to know that he is this specific host and FQDN, Kerberos would not work otherwise.

[Andreas Neufert]

Here is a sample of the NetApp configuration: https://docs.netapp.com/us-en/ontap/nfs ... quirements

[Andreas Neufert]

Sorry here is the one for Kerberos and SMB: https://docs.netapp.com/us-en/ontap/smb ... -task.html there are other general requirements listed on other pages of the SMB area of this guide.

[DHuppertz]

For testing real scenario with new v13 Appliance, we would like to add Hyper-V Host with local credentials, but it fails with the following error:
Cannot find the specified domain
Case #07821034

[Gostev]

Yeah you can't really do that without NTLM, so you need to use the deployment kit.
Please read the V13 What's New document for more information.

Merging this into the existing discussion.

[DHuppertz]

Hello Anton,

very, very cool adding a windows host over deployment kit: no credentials needed
We also realized to add a share on little NAS as a repo.

Until now great solution for our SMB customers

Kr

[m.costantino]

So,recapping, this means that the VBR13 appliance cannot access SMB shares that are on a "non-joined domain" NAS?
My english is not really good

[m.costantino]

Hi ENBS,

For Windows VBR, NTLM will remain available after upgrade. Just as today with V12, the choice between Kerberos and NTLM when both are available will be based on the OS settings, that is Veeam will use whatever protocol the OS is configured to use. Of course by default Kerberos has preference and overall we highly recommend that you start deprecating NTLM usage.

The software appliance on the other hand operates in FIPS certified mode and has DISA STIG hardening applied, which makes it impossible for us to use NTLM in principle.

P.S. Hyper-V communication without domain is not a problem for software appliance, you just need to use Veeam Deployment Kit.

I read "...after upgrade..." does this mean that a fresh installation of a windows vbr13 will not support NTLM? Am I correct?

[Gostev]

No, it does not mean that. As per the What's New document linked in the first post, NTLM is still available for V13 Windows installable software. It is however considered a deprecated authentication method due to known vulnerabilities, which may be used by malicious actors to take over your backup infrastructure. Therefore we recommend to follow Microsoft recommendations and plan disabling NTLM in your environment completely.