Standalone backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)
Post Reply
mcoacollins
Novice
Posts: 6
Liked: never
Joined: Jan 29, 2019 3:55 pm
Contact:

Unable use repository with NTLM restricted

Post by mcoacollins »

Submitted as case #03387267, but figured it'd be useful to post publicly in-case anyone out there is pulling their hair like I was.

When the Windows security policy "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" is enabled, Veeam Agent fails to authenticate to a Veeam backup repository and gives the following error:

"Unable to establish authenticated client-server connection. A call to SSPI failed, see inner exception. The function requested is not supported"

Both the client and the server are on the same network and joined to the domain. Adding the server to the policy "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" has no effect.

When I enable NTLM logging, I can see Veeam is making an NTLM request that has the target server set to NULL. Because NULL isn't a valid internal server, Windows thinks Veeam is attempting to communicate to a remote server and blocks the request. NULL cannot be added to the exception list as NULL exceptions are not supported by Windows. I suspect the Veeam code that performs the authentication call isn't properly defining the target server - therefore getting set to NULL.

Adding a Veeam backup repository does work as intended when NTLM is not restricted, however having NTLM restricted is a must to prevent NTLM credential leakage with remote servers.

As a side note, I'm unable to send a ticket from within version 3.0.0.748 (the latest version available as of this ticket) as it gives an error stating "Please upgrade to the latest product version before reporting an issue."
Dima P.
Product Manager
Posts: 14726
Liked: 1707 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Unable use repository with NTLM restricted

Post by Dima P. »

Hello and welcome to the community mcoacollins.

Thank you for sharing. We discuss this issue and review your case details with RnD team and I'll update this thread with the results of our findings.
As a side note, I'm unable to send a ticket from within version 3.0.0.748 (the latest version available as of this ticket) as it gives an error stating "Please upgrade to the latest product version before reporting an issue."
We will investigate this issue as well. Thanks for bringing this up!
mcoacollins
Novice
Posts: 6
Liked: never
Joined: Jan 29, 2019 3:55 pm
Contact:

Re: Unable use repository with NTLM restricted

Post by mcoacollins »

Thanks Dima P. - any update on your findings? I had to reopen the case under number 03429888 as I unfortunately didn't respond in-time. Just had a support person connect in today that wasn't quite sure what to do next after re-explaining the issue - it sounded like he's escalating the case to the next tier.
Dima P.
Product Manager
Posts: 14726
Liked: 1707 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Unable use repository with NTLM restricted

Post by Dima P. »

We've fixed the support portal issue (now it should be possible to open the support case via product UI). NTLM issue is still being investigated, sorry for the delay. I'll check with the responsible team today.
Dima P.
Product Manager
Posts: 14726
Liked: 1707 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Unable use repository with NTLM restricted

Post by Dima P. »

mcoacollins,
I can see Veeam is making an NTLM request that has the target server set to NULL. Because NULL isn't a valid internal server, Windows thinks Veeam is attempting to communicate to a remote server and blocks the request. NULL cannot be added to the exception list as NULL exceptions are not supported by Windows. I suspect the Veeam code that performs the authentication call isn't properly defining the target server - therefore getting set to NULL.
Still investigating, but we found that in the event log you can actually see the IP/Host name of the agent machine (event with null value comes next). Is possible to add agent machine name to the policy exception list? Thank you in advance.
mcoacollins
Novice
Posts: 6
Liked: never
Joined: Jan 29, 2019 3:55 pm
Contact:

Re: Unable use repository with NTLM restricted

Post by mcoacollins »

Added the computer the agent is on to the exception list - no change.

-Thanks
Dima P.
Product Manager
Posts: 14726
Liked: 1707 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Unable use repository with NTLM restricted

Post by Dima P. »

Thank you for the update. We are still looking into this issue and I'll update this thread once I hear back anything from RnD team, meanwhile please keep working with our support team.
mgreco
Lurker
Posts: 1
Liked: never
Joined: Mar 03, 2019 3:15 am
Full Name: Mark Greco
Contact:

Re: Unable use repository with NTLM restricted

Post by mgreco »

I'm in the same boat. I started to lock down NTLM to the servers and I'm seeing the same thing on the two servers that I'm testing with. Seems to be an issue with Veeam.
mcoacollins
Novice
Posts: 6
Liked: never
Joined: Jan 29, 2019 3:55 pm
Contact:

Re: Unable use repository with NTLM restricted

Post by mcoacollins »

@mgreco
Glad I'm not the only one. Please let me know what response you get if you end up putting a ticket in. Unfortunately, it appears Veeam support doesn't know how to handle this and is requesting I provide logs again for a fourth time. I've been through the logs and nothing has changed each time I capture them. Not to mention the issue should be very easy to replicate in a test environment if they had one. Disappointing.
PTide
Product Manager
Posts: 6551
Liked: 765 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Unable use repository with NTLM restricted

Post by PTide »

mcoacollins,

The issue with NTLM has been confirmed. Currently it is advisable to not get rid of NTLM completely. Regarding NULL issue - this is currently being investigated, please stay tuned.

Thanks!
mcoacollins
Novice
Posts: 6
Liked: never
Joined: Jan 29, 2019 3:55 pm
Contact:

Re: Unable use repository with NTLM restricted

Post by mcoacollins »

@PTide

Any update on this? Thanks!
Dima P.
Product Manager
Posts: 14726
Liked: 1707 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Unable use repository with NTLM restricted

Post by Dima P. »

mcoacollins,

Unfortunately I do not have any updates to share. We still investigating this NULL value issue, so far it looks like a problem with NTLM audit logic.

Can I please ask you to reopen your support case? I've noticed that it was closed and we cannot use it as a reference for RnD team (you can point support team to previously opened support case).
HannesK
Product Manager
Posts: 14844
Liked: 3086 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Unable use repository with NTLM restricted

Post by HannesK »

Hello,
I found this post in the support discussion thread... if I got it right, then Kerberos support "everywhere" should solve this with V12.

Best regards,
Hannes
Post Reply

Who is online

Users browsing this forum: No registered users and 12 guests