v13 adding a Hyper-V Cluster using Deployment Kit

[Miha Pecnik]

Brand new environment, NTLM is blocked and can't really use Kerberos since some hosts are Workgroup, some in a different domain. Installed v13 on a Windows host.

Adding individual hosts with "Connect using a certificate-based authentication" seems to work great, but that option doesn't exist when adding a Hyper-V Cluster. I even't tried PowerShell (Add-VBRHvCluster) but the certificate option is also missing there.

Why is that, will this be added shortly (we're not going to production just yet so I have the luxury of waiting)?

[david.domask]

Hi Miha,

Please see our User Guide page here -- credentials are required for communication with HyperV Cluster Objects, so certificate based authentication will not work.

[Miha Pecnik]

Thank you David, I didn't see that article.

Am I correct that this isn't a current limitation of Veeam, but a fundamental issue, that probably won't be solved?

Additionally if Veeam is in a workgroup and we're trying to backup a Hyper-V Cluster that is part of a domain, do we have any options of using Kerberos at all (as mentioned NTLM is blocked, Certificate based authentication is not available)?

There's an older thread on Reddit (https://www.reddit.com/r/sysadmin/comme ... are_button) where Steve Syfuhs (the guy responsible for deprecating NTLM) says:

> Everyone says that kerberos should be used, but that requires both machines to be on the same domain.

Well, that's not true. It requires that a target machine be on a domain, but the client can be wherever or whatever it wants so long as it has line of sight to the DC. Also, we're building out Local KDC and IAKerb so neither of those points will actually soon be relevent either.

Since VSA (as mentioned we're using a Windows install right now) will probably never support NTLM and Certs are not an option what is the recommendation from Veeam? Our scenario seems a pretty common one.

[david.domask]

Happy to help, Miha.

I'm not sure on the full details at the moment, but we have another thread in which users have documented their experience. Our requirements are here, and it's either domain joined OR a trust relationship exists, so this is consistent with the commentary from Syfuhs.

If there are challenges with adding it, it's best to open a Support Case and let Veeam Support review the situation and advise -- if necessary, we'll update the documentation or RND will be made aware of any issues that need to be addressed.