NTLM Required for Physical Servers

[SystemGear]

Hello All,
I'm hoping someone can help. I have a Veeam Server running version 11 that deployed an Agent to a Physical Windows 2016 server. This Agent is using NTLM for Authentication. I read NTLM is only required for Veeam's Internal Components and is not required for Agent Backups. When I disable NTLM on the Physical Server that I'm trying to backup the Job Fails. How do I force the Agent to use Kerberos?

Here is the NTLM Event Log that displays on the Physical Server:

Code: Select all

NTLM server blocked in the domain audit: Audit NTLM authentication in this domain
User: VeeamAdminAccount
Domain: LocalDomain.corp
Workstation: ExampleVeeamServer1
PID: 2856
Process: C:\Windows\Veeam\Backup\VeeamDeploymentSvc.exe
Logon type: 3
InProc: true
Mechanism: (NULL)

Audit NTLM authentication requests within this domain that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to Deny for domain servers or Deny domain accounts to domain servers.

If you want to allow NTLM authentication requests in the domain VeeamAdminAccount, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests to specific servers in the domain VeeamAdminAccount, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in this domain to use NTLM authentication.

[wishr]

Hi SystemGear,

Welcome to Veeam R&D forums!

We are aware of this limitation and are planning to address it in future versions. For now, you may disable NTLM v1 and use NTLM v2 instead to improve the security posture.

Thanks

[SystemGear]

Thank you Wishr. Do you have an estimated Timeline for the removal of this limitation? Is their any scenario/setup where NTLM is not required while using Veeam?

[wishr]

In general, Kerberos is not supported at the moment, but NTLM v2 is. Unfortunately, I cannot share any ETA at the moment.

[Neil Flanagan]

Yesterday I turned off NTLM on our Azure AD Connect server, because Microsoft says of CVE-2021-36949 "In addition to applying the updates in this CVE, you will need to disable NTLM". Now Veeam 11 is unable to connect to it. NTLM is very much in the firing line with this and relay attacks on AD Certificate Services. Perhaps this could become a priority?

[Dima P.]

Neil,

NTLM is required for Veeam B&R components, we are looking for a way to add Kerberos support in the upcoming versions. Thanks for the feedback!

[Loosus456]

Dima,

Has this been fixed yet? We are running into regulatory issues that will soon make it impossible for us to have NTLM enabled anywhere across the enterprise. If this isn't fixed quickly, we are going to need to move from Veeam.

[wishr]

Hi Jason,

Thank you for the feedback.

The plan to address it in the future product version remains the same.

[Dima P.]

Hello Jason,

Is it possible to share the policy or regularly requirements with me? As a temporary fix you add Veeam B&R and it's infrastructure components to the GPO exclusions (do not restrict NTLM for these servers in the GPO security policy). Thank you!

[IT_Todd]

I agree, this needs to get bumped up in priority. We want to block NTLM from our entire network and this is the ONLY thing still using it. Very frustrating.

[HannesK]

Hello,
and welcome to the forums.

We heard you Improved Kerberos support is already a top priority for V12 (was mentioned at VeeamON last year)

Best regards,
Hannes

[IT_Todd]

Is there configuration required for Veeam to stop using NTLM in V12, because I still see entries in my NTLM log on V12.

[Gostev]

No configuration is required on Veeam side, just disable NTLM authentication in your AD.