VSA and Windows Workgroup

[matteu]

Hello,

If I want to backup Windows VM and I'm using VSA, if I understand it correctly, it's mandatory to use Veeam deployment kit right?
If the VM is on a domain, it will use kerberos, but if not, while NTLM is not available, I need an other way.

[Mildur]

Hi Matteu,

NTLM is not available with VSA. If you do not have a working Kerberos environment, the Deployment Kit is the way to go.

I would recommend the Deployment Kit either way, whether the machine is domain-joined or not, because it allows you to use certificate-based authentication instead of storing credentials on the backup server. It also reduces the number of required ports, since you no longer need to allow access to admin shares (SMB). Overall, it makes the setup more secure.

Best,
Fabian

[matteu]

Hello,

Thanks for your answer.

Can you give me some more details please about the idea of use it for all VM ?

I totally agree it's more secure than storing password on the VBR server.

However, how would it work ?

I need to use it as VDK from Proection group? If yes, that mean I'm using Veeam agent on all computers... Not really somethink I like more :/ but it's more secure yes...

[Mildur]

Assuming you use VMware VMs, you can use the Veeam Deployment Kit together with persistent guest agents (Help Center). You only need to deploy the Deployment Kit once, either manually or with a third-party software distribution tool, for each VM on which you want to perform guest processing with the persistent guest agent.

Protection Groups or Veeam Agent for Microsoft Windows are not required.

Best,
Fabian

[matteu]

Yes sorry I didn't explain the setup.

Here, it's a customer with Nutanix AHV.

I tried to backup Workgroup VM with AAIP enabled -> doesn't work.
I tried to backup domain joined VM with AAIP enabled -> doesn't work.

The VSA is not part of the domain.

The error message is :

29/05/2026 12:23:54 Failed : Failed to connect via Administrative share.
Host: [VM001]. (Failed to connect to the guest OS.
[Samba failed with error: NT_STATUS_NO_SUCH_DOMAIN
[stderr: Kinit for veeam@DOMAIN to access VM001failed: Cannot find KDC for requested realm;
Could not connect to server VM001;Connection failed: NT_STATUS_NO_SUCH_DOMAIN. ];

[Mildur]

Thanks.
Please always let us know the Hypervisor before, since not every Hypervisor works similar

Kerberos is not supported for guest processing with AHV:
https://helpcenter.veeam.com/docs/vbr/u ... processing

Please use the deployment kit and persistent guest agents.
https://helpcenter.veeam.com/docs/vbr/u ... components

Thank you,
Fabian

[matteu]

Thanks for your answer.

1) OK, so for Nutanix AHV, the only way is to install the deployment kit for all VM I want to enable AAIP ?
That mean I will use it only for specific ones and not all Windows (I mean DC, exchange, SQL, ...)

I'm sorry for my dumb question but I would like to understand :

2) If VM is domain joined and VBR is not in domain.
Will it work as V12 and I can use domain\account on guest processing to backup my VM for a vsphere environment ?

[DaStivi]

for AAIP you'll need a "client interaction proxy" thats domainjoined... eg. a windows VM, domain joined... this client interaction proxy on the other side is added to VBR with the veeam deployment kit, without the need for another user account...
and for the credentials you'll need for the AAIP to work, use gMSA.... client-interaction proxy vm, is allowed to retrive the password for the gMSA User, and gMSA Account is member of local Admins Group in your VMs!

edit: ok AHV have exceptions ...

[matteu]

@mildur
I installed the deployment kit on my VM I want to backup and check persistent agent and it works fine now.

@dastivi
Thanks for this advice. I'm going to try on my lab with guest interaction proxy in the domain to see if it works fine with user / password.

Yes, gmsa is better because no password to manage but it's a vulnerable account for lateral movement attack. The same account is used on several computer and this is something we would like to avoid too ^^ . You can have 1 per tier but same issue... So I think only use Deployment kit is an excellent method to avoid credential + reduce port numbers to open.

[matteu]

I can confirm after the tests (on vsphere for the test) :

If VSA is joined to the domain → I have error when using AAIP with user/password using VSA as guest interraction proxy.

If VSA is not joined to the domain → OK if Deployment kit installed + Persistend guest agent

If VSA is not joined to the domain → OK if using guest interaction proxy in the domain with user/password or gmsa.

[Mildur]

Hi Matteu,

The challenge with Nutanix AHV and Kerberos is that the Nutanix APIs do not return the hostname or FQDN to us, which is required for Kerberos.

Therefore, for now, use Deployment Kits for passwordless authentication.

Best,
Fabian

[matteu]

@Mildur

Thanks for the explanations