Unable to apply a Backup Policy to a CloudConnect vCD Tenant Backup Agent

[ilogsdon]

We have encountered a frustrating situation and I'm curious why CloudConnect is behaving this way, or VSPC is failing to behave... I submitted a support request for this but I'm not entirely satisfied with the solution that was provided and would like to know what exactly is happening. My ticket # is 04603739.

We have VSPC (4.0.0.4914) connected to a Cloudconnect VBR (10.0.1.4854) that is connected to vCloud Director (10.1.2.16779297). We have many client Companies set up as vCloud Director Tenant types that use their vCD org and credentials to authenticate their VBRs to us as a Service Provider. They can then send backups to their allocated SOBR based on the quota settings in their Company properties. This simply works after they connect with no additional setup required on the provider's part beyond the Company setup. In other words it works as expected.

If we take that same company's credentials and use them to deploy a Windows Management Agent from VSPC, the management agent will successfully deploy and authenticate to the VSPC, however, when we go to install the Backup Agent and assign it a Backup Policy, the agent install succeeds, but the Policy fails to apply with the following message:
"Failed to apply a backup job: Cannot connect to the backup repository. User account is not set. Specify a user account to start using the job."

We searched all over the VSPC settings for this place to specify the requested user account but could not find anything. On a whim, we tried creating a VSPC Native Tenant Company and had the Managed Backup Agent authenticate back to Cloudconnect using the Native account's user. It was able to connect and the Backup Policy was able to be applied successfully.

I thought this was rather weird for the tenant types to not behave the same way so I opened up said support ticket and their suggested solution was to open the CloudConnect Console on the VBR and to edit the Access Permissions of the SOBR and Allow Everyone access. This definitely fixed our issue and stopped the pesky "Failed to apply backup job" message. Upon further inspection though, I noticed that the Access Permissions refer to Local (or domain) accounts and by selecting Allow Everyone I am worried that I am opening up this previously secure repo to anyone in the domain who wants to take a peek.

So, now that you're all caught up on the situation here are my questions...
-If a vCD tenant can send backups from their VBR using their vCD creds and not get any repo access errors, why does the error happen for a windows agent?
-If VSPC is able to handle agent authentication to the SOBR with a Native account without having to alter the CloudConnect Console SOBR Access permissions, why do I need to alter them for an agent authenticating with a vCD Tenant account? Can't VSPC know that it won't work without it and handle this last step on its own?
-What kind of security hole am I opening up by setting the Allow Everyone permission on the SOBR?
-Is there a better way to do all this?

Thanks for your time,
Isaac

[Dima P.]

Hello Isaac,

Thank you for your feedback and sorry to hear that you faced this issue!

-If a vCD tenant can send backups from their VBR using their vCD creds and not get any repo access errors, why does the error happen for a windows agent?

Unfortunately agents managed by Veeam B&R simply do not support tenant account for authentication with Cloud Connect, you should use regular tenant accounts instead.

-If VSPC is able to handle agent authentication to the SOBR with a Native account without having to alter the CloudConnect Console SOBR Access permissions, why do I need to alter them for an agent authenticating with a vCD Tenant account? Can't VSPC know that it won't work without it and handle this last step on its own?

Can you please clarify if that SOBR is configured as a Cloud Repository and then added to the tenant Veeam B&R?

-What kind of security hole am I opening up by setting the Allow Everyone permission on the SOBR?

Any user with access to the machine will be able to perform the recovery under his account (say regular non admin user will be able to connect to the repository and select any backup file to perform bare metal recovery from).

-Is there a better way to do all this?

Add Cloud Connect repo to tenant Veeam B&R server via regular tenant account, then create managed by agent backup job and apply the configuration. Veeam B&R will create a dedicated subtenant account for every agent machine under such job with it's own credentials and quota.

[ilogsdon]

Can you please clarify if that SOBR is configured as a Cloud Repository and then added to the tenant Veeam B&R?

- Yes, it is one of two SOBRs that we have published for use by CloudConnect tenants. This one shows up as an available repo if we add our service provider to a VBR.

-Is there a better way to do all this?
Add Cloud Connect repo to tenant Veeam B&R server via regular tenant account, then create managed by agent backup job and apply the configuration. Veeam B&R will create a dedicated subtenant account for every agent machine under such job with it's own credentials and quota.

-I think you might be confused by the scenario I described. The client we are currently dealing with has no VBR of their own, they are using the Management and Backup agent deployed directly from our VSPC to their machines and their machines back up directly to our CloudConnect instance. They have no VBR of their own for me to add our CC Repo to and create a managed agent backup job for. I was simply describing the behavior of a VBR we tested against to illustrate how the behavior of the stand-alone CloudConnect agent was different.

With that in mind (no customer VBR exists) is there any way to backup these agents using vCD tenant accounts and not removing the security on my repo? (Sorry if the confusion is on my end)

[Vitaliy S.]

If we take that same company's credentials and use them to deploy a Windows Management Agent from VSPC, the management agent will successfully deploy and authenticate to the VSPC, however, when we go to install the Backup Agent and assign it a Backup Policy, the agent install succeeds, but the Policy fails to apply with the following message:
"Failed to apply a backup job: Cannot connect to the backup repository. User account is not set. Specify a user account to start using the job."

The reason why you see this error message is that when using vCD, neither VCC nor VSPC can pre-create subtenants, so you will have to do that manually. Once the cloud backup policy is applied, your users have to go the job settings and set their vCD credentials manually to complete the configuration and run backup jobs.

This is not required in the case of native (aka local Cloud Connect) subtenants because VSPC automatically creates the required subtenant accounts in VCC and assigns them to the job configuration. Hope it clarifies the situation!