Host-based backup of Microsoft Hyper-V VMs.
Post Reply
ENBS
Influencer
Posts: 12
Liked: 1 time
Joined: Jan 16, 2023 10:07 am
Full Name: ENBS
Contact:

Upcoming V13 NTLM Deprecation

Post by ENBS »

Hi,

i've read in the "whats new in V13 https://www.veeam.com/veeam_backup_13_whats_new__wn.pdf " that NTLM will be changed out in favor of Kerberos. As I'm currently testing the v13 appliance and having encountered Authproblems when trying to connect to SMB-Repositories not connected to an AD i'm wondering if this will also apply to the final V13 on windows?

We are running all our Hyperv-Hosts without a Domain on a seperate Network and even offsite where the firewall blocks the return-traffic ("run server on this side" helps here). We connect the Servers through IP or HOST-File-entrys. Will this be supported in the future?
Egor Yakovlev
Product Manager
Posts: 2607
Liked: 727 times
Joined: Jun 14, 2013 9:30 am
Full Name: Egor Yakovlev
Location: Prague, Czech Republic
Contact:

Re: Upcoming V13 NTLM Deprecation

Post by Egor Yakovlev »

Hi ENBS,

For Windows VBR, NTLM will remain available after upgrade. Just as today with V12, the choice between Kerberos and NTLM when both are available will be based on the OS settings, that is Veeam will use whatever protocol the OS is configured to use. Of course by default Kerberos has preference and overall we highly recommend that you start deprecating NTLM usage.

The software appliance on the other hand operates in FIPS certified mode and has DISA STIG hardening applied, which makes it impossible for us to use NTLM in principle.

P.S. Hyper-V communication without domain is not a problem for software appliance, you just need to use Veeam Deployment Kit.
ENBS
Influencer
Posts: 12
Liked: 1 time
Joined: Jan 16, 2023 10:07 am
Full Name: ENBS
Contact:

Re: Upcoming V13 NTLM Deprecation

Post by ENBS »

Hi Egor,

thanks for the reply. I'm glad to hear that the Windowsversion will still support it. Thanks for the clarification with the Appliance. I've tried to use the Deployment Kit and was able to add a standalone Windows-PC that way but i couldn't add an SMB-Share (there is no option for the certificate-auth)

Adding PC through certificate:

Image

Image

But adding the SMB-Share has no option:

Image

or through the name

Image

In an AD this works:

Image

Image

For this alone we won't be using the appliance any time soon. I know there are workarounds to use Kerberos with IPs but that's also not a very simple option. I wish Microsoft would allow this out-of-the-box. I know NTLM has to go but i can't always use an AD in every Installation.

Btw. The GUI-Login in the appliance says to use the windows-client if you use the community edition but as i see there is no community edition - version of the license. Is this a bug? For testing i use a 30-day-key now.
Andreas Neufert
VP, Product Management
Posts: 7296
Liked: 1562 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Upcoming V13 NTLM Deprecation

Post by Andreas Neufert »

The main point here is to use the full qualified domain name for the shares and ensure that all servers (Veeam and Sources) are fully resolvable by DNS. You do not need a domain then.

So you define a FQDN for the share and add it to forward and reverse zone in DNS.
Then add the FQDN on the servername to Veeam.

Example:
Share: //filername.acme.local/share1 on IP 192.168.0.1
DNS entry shoud then be a A record for this
filername.acme.local A 192.168.0.1
As well as adding it to the IP reverse lookup.

The Veeam Server
veeamserver.acme.local A 192.168.0.2
+ reverese lookup

Add all Veeam server that hold other roles in the same way.

You do not need to add it to the authentication domain in order to add it to the DNS.

Then add the share in the following way to Veeam: //filername.acme.local/share1
marina.skobeleva
Veeam Software
Posts: 51
Liked: 20 times
Joined: Feb 10, 2020 1:48 pm
Full Name: Marina Skobeleva
Contact:

Re: Upcoming V13 NTLM Deprecation

Post by marina.skobeleva »

Btw. The GUI-Login in the appliance says to use the windows-client if you use the community edition but as i see there is no community edition - version of the license. Is this a bug? For testing i use a 30-day-key now.
If you use any valid license (including an Evaluation license), you can test both the Web UI and the Remote Console (windows-client).
Thanks for catching this. Just to clarify, “Community Edition” means you have not installed any license key and in this mode only data recovery features are supported.
Post Reply

Who is online

Users browsing this forum: No registered users and 19 guests