Upcoming V13 NTLM Deprecation

[ENBS]

Hi,

i've read in the "whats new in V13 https://www.veeam.com/veeam_backup_13_whats_new__wn.pdf " that NTLM will be changed out in favor of Kerberos. As I'm currently testing the v13 appliance and having encountered Authproblems when trying to connect to SMB-Repositories not connected to an AD i'm wondering if this will also apply to the final V13 on windows?

We are running all our Hyperv-Hosts without a Domain on a seperate Network and even offsite where the firewall blocks the return-traffic ("run server on this side" helps here). We connect the Servers through IP or HOST-File-entrys. Will this be supported in the future?

[Egor Yakovlev]

Hi ENBS,

For Windows VBR, NTLM will remain available after upgrade. Just as today with V12, the choice between Kerberos and NTLM when both are available will be based on the OS settings, that is Veeam will use whatever protocol the OS is configured to use. Of course by default Kerberos has preference and overall we highly recommend that you start deprecating NTLM usage.

The software appliance on the other hand operates in FIPS certified mode and has DISA STIG hardening applied, which makes it impossible for us to use NTLM in principle.

P.S. Hyper-V communication without domain is not a problem for software appliance, you just need to use Veeam Deployment Kit.

[ENBS]

Hi Egor,

thanks for the reply. I'm glad to hear that the Windowsversion will still support it. Thanks for the clarification with the Appliance. I've tried to use the Deployment Kit and was able to add a standalone Windows-PC that way but i couldn't add an SMB-Share (there is no option for the certificate-auth)

Adding PC through certificate:





But adding the SMB-Share has no option:



or through the name



In an AD this works:





For this alone we won't be using the appliance any time soon. I know there are workarounds to use Kerberos with IPs but that's also not a very simple option. I wish Microsoft would allow this out-of-the-box. I know NTLM has to go but i can't always use an AD in every Installation.

Btw. The GUI-Login in the appliance says to use the windows-client if you use the community edition but as i see there is no community edition - version of the license. Is this a bug? For testing i use a 30-day-key now.

[Andreas Neufert]

The main point here is to use the full qualified domain name for the shares and ensure that all servers (Veeam and Sources) are fully resolvable by DNS. You do not need a domain then.

So you define a FQDN for the share and add it to forward and reverse zone in DNS.
Then add the FQDN on the servername to Veeam.

Example:
Share: //filername.acme.local/share1 on IP 192.168.0.1
DNS entry shoud then be a A record for this
filername.acme.local A 192.168.0.1
As well as adding it to the IP reverse lookup.

The Veeam Server
veeamserver.acme.local A 192.168.0.2
+ reverese lookup

Add all Veeam server that hold other roles in the same way.

You do not need to add it to the authentication domain in order to add it to the DNS.

Then add the share in the following way to Veeam: //filername.acme.local/share1

[marina.skobeleva]

Btw. The GUI-Login in the appliance says to use the windows-client if you use the community edition but as i see there is no community edition - version of the license. Is this a bug? For testing i use a 30-day-key now.

If you use any valid license (including an Evaluation license), you can test both the Web UI and the Remote Console (windows-client).
Thanks for catching this. Just to clarify, “Community Edition” means you have not installed any license key and in this mode only data recovery features are supported.