Host-based backup of Microsoft Hyper-V VMs.
Post Reply
ENBS
Influencer
Posts: 13
Liked: 1 time
Joined: Jan 16, 2023 10:07 am
Full Name: ENBS
Contact:

[V13] Upcoming NTLM Deprecation, Discontinuation

Post by ENBS »

Hi,

i've read in the "whats new in V13 https://www.veeam.com/veeam_backup_13_whats_new__wn.pdf " that NTLM will be changed out in favor of Kerberos. As I'm currently testing the v13 appliance and having encountered Authproblems when trying to connect to SMB-Repositories not connected to an AD i'm wondering if this will also apply to the final V13 on windows?

We are running all our Hyperv-Hosts without a Domain on a seperate Network and even offsite where the firewall blocks the return-traffic ("run server on this side" helps here). We connect the Servers through IP or HOST-File-entrys. Will this be supported in the future?
Egor Yakovlev
Product Manager
Posts: 2609
Liked: 728 times
Joined: Jun 14, 2013 9:30 am
Full Name: Egor Yakovlev
Location: Prague, Czech Republic
Contact:

Re: Upcoming V13 NTLM Deprecation

Post by Egor Yakovlev » 1 person likes this post

Hi ENBS,

For Windows VBR, NTLM will remain available after upgrade. Just as today with V12, the choice between Kerberos and NTLM when both are available will be based on the OS settings, that is Veeam will use whatever protocol the OS is configured to use. Of course by default Kerberos has preference and overall we highly recommend that you start deprecating NTLM usage.

The software appliance on the other hand operates in FIPS certified mode and has DISA STIG hardening applied, which makes it impossible for us to use NTLM in principle.

P.S. Hyper-V communication without domain is not a problem for software appliance, you just need to use Veeam Deployment Kit.
ENBS
Influencer
Posts: 13
Liked: 1 time
Joined: Jan 16, 2023 10:07 am
Full Name: ENBS
Contact:

Re: Upcoming V13 NTLM Deprecation

Post by ENBS »

Hi Egor,

thanks for the reply. I'm glad to hear that the Windowsversion will still support it. Thanks for the clarification with the Appliance. I've tried to use the Deployment Kit and was able to add a standalone Windows-PC that way but i couldn't add an SMB-Share (there is no option for the certificate-auth)

Adding PC through certificate:

Image

Image

But adding the SMB-Share has no option:

Image

or through the name

Image

In an AD this works:

Image

Image

For this alone we won't be using the appliance any time soon. I know there are workarounds to use Kerberos with IPs but that's also not a very simple option. I wish Microsoft would allow this out-of-the-box. I know NTLM has to go but i can't always use an AD in every Installation.

Btw. The GUI-Login in the appliance says to use the windows-client if you use the community edition but as i see there is no community edition - version of the license. Is this a bug? For testing i use a 30-day-key now.
Andreas Neufert
VP, Product Management
Posts: 7302
Liked: 1564 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Upcoming V13 NTLM Deprecation

Post by Andreas Neufert » 1 person likes this post

The main point here is to use the full qualified domain name for the shares and ensure that all servers (Veeam and Sources) are fully resolvable by DNS. You do not need a domain then.

So you define a FQDN for the share and add it to forward and reverse zone in DNS.
Then add the FQDN on the servername to Veeam.

Example:
Share: //filername.acme.local/share1 on IP 192.168.0.1
DNS entry shoud then be a A record for this
filername.acme.local A 192.168.0.1
As well as adding it to the IP reverse lookup.

The Veeam Server
veeamserver.acme.local A 192.168.0.2
+ reverese lookup

The filer need to be configured for this FQDN as well.

Add all Veeam server that hold other roles in the same way.

You do not need to add it to the authentication domain in order to add it to the DNS.

Then add the share in the following way to Veeam: //filername.acme.local/share1
marina.skobeleva
Veeam Software
Posts: 51
Liked: 21 times
Joined: Feb 10, 2020 1:48 pm
Full Name: Marina Skobeleva
Contact:

Re: Upcoming V13 NTLM Deprecation

Post by marina.skobeleva » 1 person likes this post

Btw. The GUI-Login in the appliance says to use the windows-client if you use the community edition but as i see there is no community edition - version of the license. Is this a bug? For testing i use a 30-day-key now.
If you use any valid license (including an Evaluation license), you can test both the Web UI and the Remote Console (windows-client).
Thanks for catching this. Just to clarify, “Community Edition” means you have not installed any license key and in this mode only data recovery features are supported.
ENBS
Influencer
Posts: 13
Liked: 1 time
Joined: Jan 16, 2023 10:07 am
Full Name: ENBS
Contact:

Re: Upcoming V13 NTLM Deprecation

Post by ENBS »

@marina.skobeleva
Yes, i was under the impression that the appliance had a "community" aka "free" version because the web-gui said that the first time. I could only make restores. I see that there will be no community-edition because the appliance is targeted at enterprises.

@Andreas Neufert
Hmm, i tried solving this with the HOSTS file but that didn't turn out.

Image

Image
If i install a DNS-Server on windows, it would be not to far of to install the rest of an AD for me but i will try this with a linux-dns-server and see if this will get me somewhere.

Thanks!
Andreas Neufert
VP, Product Management
Posts: 7302
Liked: 1564 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Upcoming V13 NTLM Deprecation

Post by Andreas Neufert »

Sorry, the other side or Kerberos need to be configured as well with the correct DNS FQDN name, otherwise it will not work. So the filer needs to know that he is this specific host and FQDN, Kerberos would not work otherwise.
Andreas Neufert
VP, Product Management
Posts: 7302
Liked: 1564 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Upcoming V13 NTLM Deprecation

Post by Andreas Neufert »

Here is a sample of the NetApp configuration: https://docs.netapp.com/us-en/ontap/nfs ... quirements
Andreas Neufert
VP, Product Management
Posts: 7302
Liked: 1564 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Upcoming V13 NTLM Deprecation

Post by Andreas Neufert »

Sorry here is the one for Kerberos and SMB: https://docs.netapp.com/us-en/ontap/smb ... -task.html there are other general requirements listed on other pages of the SMB area of this guide.
DHuppertz
Enthusiast
Posts: 29
Liked: 4 times
Joined: Nov 08, 2019 10:05 am
Full Name: Dieter Huppertz
Contact:

[MERGED] [V13] Could not add Hyper-V Host with local credentials

Post by DHuppertz »

For testing real scenario with new v13 Appliance, we would like to add Hyper-V Host with local credentials, but it fails with the following error:
Cannot find the specified domain
Case #07821034
Gostev
Chief Product Officer
Posts: 32503
Liked: 7843 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: [V13] Upcoming V13 NTLM Deprecation

Post by Gostev »

Yeah you can't really do that without NTLM, so you need to use the deployment kit.
Read the V13 What's New document for more information.

Merging this into the existing discussion.
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest