-
- Novice
- Posts: 6
- Liked: never
- Joined: Jan 29, 2019 3:55 pm
- Contact:
Unable use repository with NTLM restricted
Submitted as case #03387267, but figured it'd be useful to post publicly in-case anyone out there is pulling their hair like I was.
When the Windows security policy "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" is enabled, Veeam Agent fails to authenticate to a Veeam backup repository and gives the following error:
"Unable to establish authenticated client-server connection. A call to SSPI failed, see inner exception. The function requested is not supported"
Both the client and the server are on the same network and joined to the domain. Adding the server to the policy "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" has no effect.
When I enable NTLM logging, I can see Veeam is making an NTLM request that has the target server set to NULL. Because NULL isn't a valid internal server, Windows thinks Veeam is attempting to communicate to a remote server and blocks the request. NULL cannot be added to the exception list as NULL exceptions are not supported by Windows. I suspect the Veeam code that performs the authentication call isn't properly defining the target server - therefore getting set to NULL.
Adding a Veeam backup repository does work as intended when NTLM is not restricted, however having NTLM restricted is a must to prevent NTLM credential leakage with remote servers.
As a side note, I'm unable to send a ticket from within version 3.0.0.748 (the latest version available as of this ticket) as it gives an error stating "Please upgrade to the latest product version before reporting an issue."
When the Windows security policy "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" is enabled, Veeam Agent fails to authenticate to a Veeam backup repository and gives the following error:
"Unable to establish authenticated client-server connection. A call to SSPI failed, see inner exception. The function requested is not supported"
Both the client and the server are on the same network and joined to the domain. Adding the server to the policy "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" has no effect.
When I enable NTLM logging, I can see Veeam is making an NTLM request that has the target server set to NULL. Because NULL isn't a valid internal server, Windows thinks Veeam is attempting to communicate to a remote server and blocks the request. NULL cannot be added to the exception list as NULL exceptions are not supported by Windows. I suspect the Veeam code that performs the authentication call isn't properly defining the target server - therefore getting set to NULL.
Adding a Veeam backup repository does work as intended when NTLM is not restricted, however having NTLM restricted is a must to prevent NTLM credential leakage with remote servers.
As a side note, I'm unable to send a ticket from within version 3.0.0.748 (the latest version available as of this ticket) as it gives an error stating "Please upgrade to the latest product version before reporting an issue."
-
- Product Manager
- Posts: 14726
- Liked: 1707 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Unable use repository with NTLM restricted
Hello and welcome to the community mcoacollins.
Thank you for sharing. We discuss this issue and review your case details with RnD team and I'll update this thread with the results of our findings.
Thank you for sharing. We discuss this issue and review your case details with RnD team and I'll update this thread with the results of our findings.
We will investigate this issue as well. Thanks for bringing this up!As a side note, I'm unable to send a ticket from within version 3.0.0.748 (the latest version available as of this ticket) as it gives an error stating "Please upgrade to the latest product version before reporting an issue."
-
- Novice
- Posts: 6
- Liked: never
- Joined: Jan 29, 2019 3:55 pm
- Contact:
Re: Unable use repository with NTLM restricted
Thanks Dima P. - any update on your findings? I had to reopen the case under number 03429888 as I unfortunately didn't respond in-time. Just had a support person connect in today that wasn't quite sure what to do next after re-explaining the issue - it sounded like he's escalating the case to the next tier.
-
- Product Manager
- Posts: 14726
- Liked: 1707 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Unable use repository with NTLM restricted
We've fixed the support portal issue (now it should be possible to open the support case via product UI). NTLM issue is still being investigated, sorry for the delay. I'll check with the responsible team today.
-
- Product Manager
- Posts: 14726
- Liked: 1707 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Unable use repository with NTLM restricted
mcoacollins,
Still investigating, but we found that in the event log you can actually see the IP/Host name of the agent machine (event with null value comes next). Is possible to add agent machine name to the policy exception list? Thank you in advance.I can see Veeam is making an NTLM request that has the target server set to NULL. Because NULL isn't a valid internal server, Windows thinks Veeam is attempting to communicate to a remote server and blocks the request. NULL cannot be added to the exception list as NULL exceptions are not supported by Windows. I suspect the Veeam code that performs the authentication call isn't properly defining the target server - therefore getting set to NULL.
-
- Novice
- Posts: 6
- Liked: never
- Joined: Jan 29, 2019 3:55 pm
- Contact:
Re: Unable use repository with NTLM restricted
Added the computer the agent is on to the exception list - no change.
-Thanks
-Thanks
-
- Product Manager
- Posts: 14726
- Liked: 1707 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Unable use repository with NTLM restricted
Thank you for the update. We are still looking into this issue and I'll update this thread once I hear back anything from RnD team, meanwhile please keep working with our support team.
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Mar 03, 2019 3:15 am
- Full Name: Mark Greco
- Contact:
Re: Unable use repository with NTLM restricted
I'm in the same boat. I started to lock down NTLM to the servers and I'm seeing the same thing on the two servers that I'm testing with. Seems to be an issue with Veeam.
-
- Novice
- Posts: 6
- Liked: never
- Joined: Jan 29, 2019 3:55 pm
- Contact:
Re: Unable use repository with NTLM restricted
@mgreco
Glad I'm not the only one. Please let me know what response you get if you end up putting a ticket in. Unfortunately, it appears Veeam support doesn't know how to handle this and is requesting I provide logs again for a fourth time. I've been through the logs and nothing has changed each time I capture them. Not to mention the issue should be very easy to replicate in a test environment if they had one. Disappointing.
Glad I'm not the only one. Please let me know what response you get if you end up putting a ticket in. Unfortunately, it appears Veeam support doesn't know how to handle this and is requesting I provide logs again for a fourth time. I've been through the logs and nothing has changed each time I capture them. Not to mention the issue should be very easy to replicate in a test environment if they had one. Disappointing.
-
- Product Manager
- Posts: 6551
- Liked: 765 times
- Joined: May 19, 2015 1:46 pm
- Contact:
Re: Unable use repository with NTLM restricted
mcoacollins,
The issue with NTLM has been confirmed. Currently it is advisable to not get rid of NTLM completely. Regarding NULL issue - this is currently being investigated, please stay tuned.
Thanks!
The issue with NTLM has been confirmed. Currently it is advisable to not get rid of NTLM completely. Regarding NULL issue - this is currently being investigated, please stay tuned.
Thanks!
-
- Novice
- Posts: 6
- Liked: never
- Joined: Jan 29, 2019 3:55 pm
- Contact:
Re: Unable use repository with NTLM restricted
@PTide
Any update on this? Thanks!
Any update on this? Thanks!
-
- Product Manager
- Posts: 14726
- Liked: 1707 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Unable use repository with NTLM restricted
mcoacollins,
Unfortunately I do not have any updates to share. We still investigating this NULL value issue, so far it looks like a problem with NTLM audit logic.
Can I please ask you to reopen your support case? I've noticed that it was closed and we cannot use it as a reference for RnD team (you can point support team to previously opened support case).
Unfortunately I do not have any updates to share. We still investigating this NULL value issue, so far it looks like a problem with NTLM audit logic.
Can I please ask you to reopen your support case? I've noticed that it was closed and we cannot use it as a reference for RnD team (you can point support team to previously opened support case).
-
- Product Manager
- Posts: 14844
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Unable use repository with NTLM restricted
Hello,
I found this post in the support discussion thread... if I got it right, then Kerberos support "everywhere" should solve this with V12.
Best regards,
Hannes
I found this post in the support discussion thread... if I got it right, then Kerberos support "everywhere" should solve this with V12.
Best regards,
Hannes
Who is online
Users browsing this forum: No registered users and 12 guests