PowerShell script exchange
Post Reply
jotge
Enthusiast
Posts: 28
Liked: 4 times
Joined: May 20, 2019 11:44 am
Full Name: Jan Groschopp
Location: Deutschland
Contact:

MFA and Powershell

Post by jotge » 1 person likes this post

Hello,

we would like to activate MFA in our Veeam environment.

I first need to describe our situation a little so that it is clear what I actually want.

We have a very large Hyper-V infrastructure to be backed up, so our lifecycle management for backup jobs, backup copy jobs and backup to tape jobs is based on various PowerShell scripts. We create, configure and delete jobs or backup objects with the help of these scripts.

In addition to backup administrators, so-called application owners of different servers also access the backup data - e.g. to restore data - and they use the Veeam Backup Enterprise Manager for this. Therefore, these scripts are also connected to the Enterprise Manager via the REST API in order to be able to assign or remove role-based rights.

In order to keep track of the many users who access the backup systems and backup data, we have also introduced a corresponding user concept. This requires each user to log in to the backup systems with user-specific credentials. This also makes it possible to recognize in the Veeam logs which user performed which action and when.

For all this reasons, the powershell scripts should be started in the respective user context.

Since the current implementation of MFA blocks the execution of the Powerhell scripts, now here comes my question. Are there plans to extend the use of MFA to the PowerShell scripts?

If this needs a feature rewquest, here it is ;-)


Thanks and best regards

Jan
oleg.feoktistov
Veeam Software
Posts: 2015
Liked: 671 times
Joined: Sep 25, 2019 10:32 am
Full Name: Oleg Feoktistov
Contact:

Re: MFA and Powershell

Post by oleg.feoktistov » 1 person likes this post

Hi Jan,

Added your +1 to this request. We have no ETA on MFA-enabled powershell, but have you considered using service accounts instead? They should work with MFA enabled and VBR allows to add such accounts to a backup infrastructure. See this article.

Best regards,
Oleg
chsuscale
Influencer
Posts: 15
Liked: 2 times
Joined: Jan 09, 2020 9:21 am
Contact:

Re: MFA and Powershell

Post by chsuscale » 1 person likes this post

I also need a way to use powershell on mfa-enabled infrastructure.
I do "only" reporting. There should be a way to allow this.
It makes not much sense to disable mfa for a "service" account and give the administrator role to it, only to do reports.
I run a modified report of https://gist.github.com/smasterson/9136468
and self made script to send an notification out when only 5 or less free tapes are left.
chsuscale
Influencer
Posts: 15
Liked: 2 times
Joined: Jan 09, 2020 9:21 am
Contact:

Re: MFA and Powershell

Post by chsuscale » 1 person likes this post

There's a super easy way to "come around the MFA":
C:\Admin\SysinternalsSuite\PsExec.exe -s -i powershell.exe -ExecutionPolicy Bypass C:\Admin\scripts\veeam\Get-TapeCount.ps1
(works also for planned jobs in the Task Planner"
dspringer
Enthusiast
Posts: 59
Liked: 5 times
Joined: Feb 01, 2022 10:57 am
Full Name: David Springer
Contact:

KB4632 - Investigate Encrypted Data

Post by dspringer »

For a change, I have now received a message about Encrypted Data on one of the file servers and would of course like to find out what exactly is meant there.
After a short search I stumbled across KB4632 https://www.veeam.com/kb4632, but somehow it doesn't really work. Before I give feedback directly in the KB, I would like to ask here. Maybe I'm doing something wrong.

There is an archive attached to the KB that I could use later to display the affected files. But I am already failing with the Powershell script mentioned above.
I have stored the content inside a ps1 on the backup server using Explorer. Since RDP is no longer possible due to the Hardening, I went into Windows via server ILO and started the script as a local administrator. The object name in line 2 has been replaced and corresponds to the server name that the encrypted files should have according to the Veeam GUI.

However, Powershell only says the following about the whole matter:

Code: Select all

Get-VBRMalwareDetectionEvent : PowerShell client update environment initialization 
failed: Failed to connect to Veeam Backup & Replication server: 
Access denied.
Execution environment cannot be initialized to Remote
In C:\install\Investigation Tool Files\Find_encrypt-Event.ps1:5 Zeichen:1
+ Get-VBRMalwareDetectionEvent | Where-Object { $_.ObjectName -eq $obje ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-VBRMalwareDetectionEvent],  
   AggregateException
    + FullyQualifiedErrorId : UpdateCheckerErrorId,Veeam.Backup.PowerShell.Cmdlets.G 
   etVBRMalwareDetectionEvent
OK, of course I thought that the user used could be to blame here. So I used a user who has the corresponding administrative role within Veeam.
Now there is the problem that MFA should be activated during hardening... Accordingly, of course, Powershell means:

Code: Select all

Get-VBRMalwareDetectionEvent : Unable to connect to the server with MFA-enabled user account.


Do I really need a USer at this point who is created as a service account in Veeam and therefore does not use MFA?
david.domask
Veeam Software
Posts: 2367
Liked: 558 times
Joined: Jun 28, 2016 12:12 pm
Contact:

Re: MFA and Powershell

Post by david.domask » 1 person likes this post

Hi @dspringer,

I've merged your post into an existing topic on Powershell and MFA.

Oleg's post above still is actual at this time, but consider the workarounds mentioned here. The Backup Administrator role in Veeam Backup and Replication is required, and for now please consider the workarounds.
David Domask | Product Management: Principal Analyst
spiritie
Service Provider
Posts: 195
Liked: 40 times
Joined: Mar 01, 2016 10:16 am
Full Name: Gert
Location: Denmark
Contact:

[MERGED] [FR] Allow PowerShell even if MFA is enabled on localhost

Post by spiritie »

Hi Veeam

While we do love MFA, when running PowerShell scripts locally on an VBR it would be nice to be excluded if the user originates from localhost and the user is local admin on the server (just like SYSTEM or whatever service Veeam is running as is excluded from MFA)

The workaround is currently to set the "This is a service account" option on the account and then run PowerShell, and I'm currently baking this as a function into my PowerShell script to connect to Postgres and disable MFA for whatever user the script is running at, and then enable it again at the end of the script)

Why is this a problem?
- We manage a lot of VBR servers across different environments and it's tedious work to go in and disable this every time when testing scripts and developing
- Risk for misconfiguration, if the user forgets to enable MFA again on the account (Must admit this has happened to me a few times)

Regards :)
Mildur
Product Manager
Posts: 10110
Liked: 2696 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: MFA and Powershell

Post by Mildur »

Hello Gert

I moved your request to an existing topic.
May I ask for what kind of operations you use scripting? If you use the script for monitoring, you may consider to use our Service Provider Console API endpoints with a read only key. That should allow you to monitor backup jobs of customers without having to care about MFA prompts.

Best,
Fabian
Product Management Analyst @ Veeam Software
spiritie
Service Provider
Posts: 195
Liked: 40 times
Joined: Mar 01, 2016 10:16 am
Full Name: Gert
Location: Denmark
Contact:

Re: MFA and Powershell

Post by spiritie »

Hi Fabian

We are doing custom monitoring for certain parts of VBR, not only jobs, but MFA status of users, encryption key, placing VBR into maintenance mode and so on. We use a different tool which runs on all of our endpoints to execute the script, so no worry there as it all is running as SYSTEM. But every time I have to test something out I have to disable MFA on my user in order to test stuff.
Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot] and 4 guests