V13.0.1 - MFA not prompting more than once for Remote VBR Console Users

[davemann]

Hello -

I am seeing a behaviour where users who use the VBR Console from a remote system are not prompted for MFA every time they start the console and log in. It prompts only once, and subsequent launches does not prompt and simply loads the console. This is not what I would expect, and is not consistent with the documentation on how MFA should function.

I've tried to re-register MFA for a user (my own), but this doesn't change things.

From the VBR server (logged in via VM console) itself, I can confirm I am prompted for MFA every single time - which is how things were for me in V12.

Note - I have had to add "NT AUTHORITY\SYSTEM" as a VBR Administrator (Service Account) per article https://www.veeam.com/kb4687 to get resolve issues with with plug-ins for PVE, etc.

[Gostev]

Hello, did you open a support case?

[davemann]

I had mentioned this issue in case 07925631, which essentially has become a list of issues that I've experienced post-upgrade.

Anyhow, strangely enough - after removing the remembered server profile, and then connecting again, but using DOMAIN\username as the format when logging in, I now get prompted for MFA everytime, even if "remember me" is selected.

I've tried deleting the connection profile again and using UPN format as the username, and it's still fine. Odd, very odd.

I had a coworker confirm the lack of MFA prompting earlier in the day from a remote VBR console, and had him do the same as I mentioned above just now, and we're both being prompted for MFA everytime again as I would expect.

That's... weird.

[davemann]

Maybe it has something to do with the fact that Users are defined in the "Users and Roles" on the VBR server in DOMAIN\Username format?

[Gostev]

There's no point in guessing. If you can reproduce it, then our support will be happy investigate and tell you the actual reason.

[davemann]

You're not wrong - however, I can no longer reproduce this since going through what I described above.

[kbr]

Hi, have the same issue, logged a case with Veeam support and finally they were able to reproduce the issue. It has something to do with a token that does not get revoked. So if a session is not closed correctly users will be able to keep loging in with cashed credentials and without MFA. This works "as expected" according to Veeam but is of course not what we as end user expect .

It's a long e-mail conversation but this sums it up: "If the session is not finalized, the refresh token continues to be re-used to obtain new token pairs, without the need of MFA. Easy way to reproduce it is to stop veeam.backup.shell.exe in Task manager while the console is open. The next login attempt won't ask for MFA. To resolve it immediately, it is possible to "forget" the saved user, re-enter the credentials and save it again - this action will create a new authentication cookie.

As discussed, the refresh token revocation logic is planned to be reworked in further updates, which should address the issues with MFA as well.

[HannesK]

if I need to guess, then not being able to reproduce might happen because the refresh token lifetime expired (the lifetime is something mentioned in the bug that was created as result of case 07865214 opened by kbr).