We would like to know if Kerberos support for Veeam Recovery Orchestrator is currently part of the product roadmap. Additionally, we would appreciate any information regarding:
Estimated timeline for implementation (if planned)
Possible workarounds or recommended best practices in the meantime
In our environment, the absence of Kerberos support introduces security and compliance challenges, making it difficult to fully integrate VRO into our disaster recovery strategy.
We strongly believe that adding Kerberos support would significantly enhance security posture and increase adoption in enterprise environments.
Case #07889743
-
magcware
- Novice
- Posts: 5
- Liked: 2 times
- Joined: Dec 29, 2023 2:23 pm
- Full Name: Miguel Angel Guerra
- Contact:
-
Alec King
- VP, Product Management
- Posts: 1629
- Liked: 441 times
- Joined: Jan 01, 2006 1:01 am
- Location: Prague, CZ
- Contact:
Re: Kerberos authentication support in Veeam Recovery Orchestrator (VRO).
Hello,
Thanks for your post, I do understand your challenge in attempting to secure the environment.
Just to confirm that VRO does use Kerberos by default, when available; although communication will failback to NTLM if Kerberos cannot be used (this decision is taken on Windows OS side, as we use Negotiate protocol to call it)
Fully enforced Kerberos-only mode is on the roadmap for VRO.
However as a LOT of QA testing is required, I can't yet confirm what release vehicle we will ship that feature in. We hope to schedule that work soon.
Thanks for your post, I do understand your challenge in attempting to secure the environment.
Just to confirm that VRO does use Kerberos by default, when available; although communication will failback to NTLM if Kerberos cannot be used (this decision is taken on Windows OS side, as we use Negotiate protocol to call it)
Fully enforced Kerberos-only mode is on the roadmap for VRO.
However as a LOT of QA testing is required, I can't yet confirm what release vehicle we will ship that feature in. We hope to schedule that work soon.
-
magcware
- Novice
- Posts: 5
- Liked: 2 times
- Joined: Dec 29, 2023 2:23 pm
- Full Name: Miguel Angel Guerra
- Contact:
Re: Kerberos authentication support in Veeam Recovery Orchestrator (VRO).
Hello Alec king
Thank you for your previous clarification.
I would like to further confirm the following:
In a properly configured environment (correct SPN, DNS resolution, time synchronization, and Active Directory configuration), is it possible for Veeam Recovery Orchestrator to always authenticate using Kerberos, effectively avoiding fallback to NTLM?
In other words, if all Kerberos prerequisites are correctly met, can we ensure that authentication will consistently use Kerberos, or is there still a possibility that NTLM will be used regardless of the configuration?
This clarificatio
Thank you for your previous clarification.
I would like to further confirm the following:
In a properly configured environment (correct SPN, DNS resolution, time synchronization, and Active Directory configuration), is it possible for Veeam Recovery Orchestrator to always authenticate using Kerberos, effectively avoiding fallback to NTLM?
In other words, if all Kerberos prerequisites are correctly met, can we ensure that authentication will consistently use Kerberos, or is there still a possibility that NTLM will be used regardless of the configuration?
This clarificatio
-
Alec King
- VP, Product Management
- Posts: 1629
- Liked: 441 times
- Joined: Jan 01, 2006 1:01 am
- Location: Prague, CZ
- Contact:
Re: Kerberos authentication support in Veeam Recovery Orchestrator (VRO).
Hello @magcware ,
Unfortunately it's not possible to confirm that current VRO would always use Kerberos. We need to perform extensive testing in a Kerberos-only environment in a specialised QA lab to confirm that (and I am sure we will find some issues). That's why we don't yet explicitly support such environments yet.
However the required lab has been booked and work has already started! So I do hope to confirm the status, and the support roadmap, very soon.
Unfortunately it's not possible to confirm that current VRO would always use Kerberos. We need to perform extensive testing in a Kerberos-only environment in a specialised QA lab to confirm that (and I am sure we will find some issues). That's why we don't yet explicitly support such environments yet.
However the required lab has been booked and work has already started! So I do hope to confirm the status, and the support roadmap, very soon.
Alec King
Vice President, Product Management
Veeam Software
Vice President, Product Management
Veeam Software
Who is online
Users browsing this forum: No registered users and 5 guests