Standalone backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)
Post Reply
GeraldS
Novice
Posts: 6
Liked: 3 times
Joined: Mar 28, 2019 8:18 am
Full Name: Gerald Schneider
Location: Rostock, Germany

Veeam trying to authenticate against AD with self signed certificates.

Post by GeraldS »

After we started to deploy managed instances of the Veeam Agent we noticed an increased activity of failed logins in our Active Directory audit log originating on our Veeam Backup & Replication server.

The "user agents" are in the following form:

Code: Select all

x509n:<s>cn=8b41492a-f228-47a2-b1b5-25dec8af8768,6
x509n:<s>cn=9261cec5-f131-4797-a635-af4472f8e11a,6
x509n:<s>cn=a1a65e62-91a3-48fd-80f1-9d596c47f23d,6
When we searched the Veeam logs for these UUIDs we found out that they correspond to self signed certificates created by Veeam.

These failed logins don't impact the backups, they succeed. It's just that our AD team has asked us to investigate these failed logins.

Why is the Veeam Agent (or VBR) trying to use these self signed certificates to authenticate against Active Directory, and how can we stop it?
Veeam Certified Engineer 2023
HannesK
Product Manager
Posts: 14287
Liked: 2877 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by HannesK »

Hello,
sounds strange... what is the support case number for that issue?

Additional to Veeam logs, please do also upload the AD audit logs that we can check that.

Thanks,
Hannes
GeraldS
Novice
Posts: 6
Liked: 3 times
Joined: Mar 28, 2019 8:18 am
Full Name: Gerald Schneider
Location: Rostock, Germany

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by GeraldS »

I haven't opened a support case yet. I was hoping someone else might have run in the same problem.
Veeam Certified Engineer 2023
zd14a
Novice
Posts: 3
Liked: never
Joined: Jul 11, 2017 9:10 am
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by zd14a »

Hi, we see this kind of login attempts made by Veeam as well. We're also wondering what's happening there and how we can prevent Veeam from doing this.
HannesK
Product Manager
Posts: 14287
Liked: 2877 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by HannesK »

Hello,
can you please provide a case number with logs that we can have a look at it?

Thanks,
Hannes
TDog
Service Provider
Posts: 4
Liked: never
Joined: Feb 07, 2016 3:22 pm
Full Name: Tom Mucha
Location: Plantsville, CT
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by TDog »

GeraldS wrote: Mar 14, 2022 8:39 am These failed logins don't impact the backups, they succeed. It's just that our AD team has asked us to investigate these failed logins.

Why is the Veeam Agent (or VBR) trying to use these self signed certificates to authenticate against Active Directory, and how can we stop it?
We noticed the same very recently, ever find a solution? I found the offending cert in the local cert store on the agent machine, wonder if I have to deploy a local CA that is trusted by AD to resolve this. https://helpcenter.veeam.com/docs/backu ... ml?ver=110
redgasgiant
Novice
Posts: 7
Liked: never
Joined: Jan 31, 2023 7:42 pm
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by redgasgiant »

Howdy, I just noticed that my AD Audit flagged it as well:

A Kerberos authentication ticket (TGT) was requested for X509N:<S>CN=Veeam Backup Enterprise Manager Server Certificate from MyBackupServer.myDomain. Status : Failure. . Error : Bad user name

Did you get resolution?
HannesK
Product Manager
Posts: 14287
Liked: 2877 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by HannesK »

Hello,
did you open a support case with Veeam to check what's going on? If yes, can you please post the case number so we can investigate further?

Best regards,
Hannes
Redhw
Lurker
Posts: 2
Liked: never
Joined: Aug 08, 2023 7:13 am
Full Name: DH
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by Redhw »

Hi,

We also got the same problem recently and it still happens frequently. Did someone at veeam perhaps forgot to renew an internal certificate ?

Image
Image
Mildur
Product Manager
Posts: 8549
Liked: 2223 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by Mildur »

Hello DH

So far we didn't got any case number in this topic.
Please open a case and share the number with us. Then we can analyze this error messages.

Best,
Fabian
Product Management Analyst @ Veeam Software
Redhw
Lurker
Posts: 2
Liked: never
Joined: Aug 08, 2023 7:13 am
Full Name: DH
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by Redhw »

Hi Mildur,

No problem, here you go:
Case #06225025
gardhy
Lurker
Posts: 1
Liked: never
Joined: Aug 08, 2023 12:23 pm
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by gardhy »

I'm getting the same certificate errors as well. Been with support trying to resolve for the last couple of weeks. Case #06172180 if this helps.
Mildur
Product Manager
Posts: 8549
Liked: 2223 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by Mildur »

Thank you for the case numbers.
I checked similar cases and their may be a known issue with the certificate.

@Redhw
Let's see what our support team will find out and if it's related to the known issue.

@gardhy
Did you already have tried the last suggestion from our support on August 3rd?

Best,
Fabian
Product Management Analyst @ Veeam Software
JJohnson2023
Lurker
Posts: 1
Liked: never
Joined: Aug 23, 2023 8:23 pm
Full Name: Jarred Johnson
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by JJohnson2023 »

I'm currently experiencing the same issue, and just submitted Case # 06258240
Wad4iPod
Enthusiast
Posts: 91
Liked: never
Joined: Aug 04, 2010 12:34 am
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by Wad4iPod »

Seeing the same issue.
STGdb
Enthusiast
Posts: 39
Liked: 3 times
Joined: Sep 06, 2013 5:17 pm
Full Name: SOSidb
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by STGdb »

Sort of the same issue here, but it just started happening after upgrading from v11a to v12. Any update on how to resolve it? I currently have two other support cases open, hoping not to have a third.
Mildur
Product Manager
Posts: 8549
Liked: 2223 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by Mildur »

Hello SOSidb

Our customer support team is aware of a known issue regarding EM certificates.
They have a procedure to solve those issues. Please open a case and ask them to check if you are affected by the same issue as Jarred: 06258240.

Best,
Fabian
Product Management Analyst @ Veeam Software
Phyxiis
Novice
Posts: 6
Liked: 1 time
Joined: Nov 21, 2022 7:27 pm
Full Name: Alex G
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by Phyxiis »

I had a opened a case end of last week with our MSP/Veeam about this same exact issue (the screenshot from above with ADAudit logging actually) and they stated that because it's not application (Veeam) related, it's a Microsoft issue and to figure it out.... (basically).

We're still on v11a (or whatever the latest v11 is) and only just started noticing this within the past 2 weeks or so. No changes other than I got LDAPS set up on our domain controllers but is not being required or forced on Workstations/Servers (you can run LDAP and LDAPS in parallel with no issues).

We don't use Enterprise Manager, it was set up years ago before I got hired here but worked with Veeam to remove the Enterprise Manager tie-in in the database so that we could auto-renew our license via our MSP. So I don't know that the most recent post by Mildur would be applicable to us, unless some remnant of the EM server is still existent somewhere and expired. No backup jobs fail, and all authentication that I am aware of on the actual VBR server (domain joined VM) work just fine.

My guess is either A) something may be tied up cert-based with the non-existent EM server from years gone by, or B) something else is going on in which I can't figure out with hours of Googling...

EDIT: Our case number for what it's worth 06305132
cerberus
Expert
Posts: 155
Liked: 15 times
Joined: Aug 28, 2015 2:45 pm
Full Name: Mirza
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by cerberus »

Seeing the exact same issue on v12, our auditing tool is flooded with "X509N:<S>CN=Veeam Backup Enterprise Manager Server Certificate" failure events.

Case opened referencing this thread requesting the procedure to resolve this issue as per Fabian, case #06323302.
Mildur
Product Manager
Posts: 8549
Liked: 2223 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by Mildur »

Hi Mirza

Thank you.
I can see that our support engineer has provided the steps to solve the issue.
Please execute them and report back if they have solved this issue.

Best,
Fabian

@Phyxiis
If you don't use enterprise manager, then your case is different to other comments in this topic.
The cases I checked in this topic affects environments where Enterprise Manager is installed on the backup server.
We have a known issue regarding the automatically installed certificate. To solve it, we need to create a new self signed certificate, change a config file and delete a value from the enterprise manager database.
Product Management Analyst @ Veeam Software
ARHalderberge
Novice
Posts: 3
Liked: never
Joined: Nov 21, 2017 2:04 pm
Full Name: AR gemeente Halderberge
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by ARHalderberge »

Hi, I'm experiencing same issue as in case #06323302
Enterprise Manager is installed on same server.
We use version 12 (recently installed)
Can you provide the steps to solve the issue?
MajorWitt
Lurker
Posts: 1
Liked: never
Joined: Dec 11, 2023 1:56 am
Full Name: N Major
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by MajorWitt »

Hi there @Mildur,

We are seeing the same problems here, we have Enterprise Manager installed on the same server as Veeam Backup & Replication, we are running v12.0.0.1420.

Where can I find more information about how to "create a new self signed certificate, change a config file and delete a value from the enterprise manager database"?
Mildur
Product Manager
Posts: 8549
Liked: 2223 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by Mildur »

@MajorWitt
The process is not documented publicly.
Can you please update to our newest release (v12.1) and check the issue again? I can see on our internal system that there were changes around the enterprise manager certificate which may solve this issue. If you cannot update now, please open a support case and get the procedure from our support engineer.

Best,
Fabian
Product Management Analyst @ Veeam Software
k21971
Lurker
Posts: 1
Liked: never
Joined: Jan 30, 2024 5:28 pm
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by k21971 »

The process is not documented publicly.
Can you please update to our newest release (v12.1) and check the issue again? I can see on our internal system that there were changes around the enterprise manager certificate which may solve this issue. If you cannot update now, please open a support case and get the procedure from our support engineer.
Can we make the fix public? Or if it is, point us to a link? I just upgraded from 11a to 12.1 a few days ago, and I'm now seeing the exact same issue. Thanks.
lbrown13
Lurker
Posts: 1
Liked: never
Joined: Feb 01, 2024 8:15 pm
Full Name: Larry
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by lbrown13 »

Any updates on this? We have the same issue.
Mildur
Product Manager
Posts: 8549
Liked: 2223 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by Mildur »

For now, please contact our support team for the existing workaround.
Meanwhile I started a discussion with support management if it would be possible to provide a KB.

Best,
Fabian
Product Management Analyst @ Veeam Software
jcwrks
Lurker
Posts: 2
Liked: never
Joined: Apr 03, 2023 4:20 pm
Full Name: JW
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by jcwrks »

FYI
support@veeam.com

At this point if EM is not installed on the same server , there is no current workaround , however Veeam is aware of this issue and will release a future patch to get it fix , what we adviced under these scenarios is to wait for the patch and ignore the alerts for now since they do not affect the backups.
Mildur
Product Manager
Posts: 8549
Liked: 2223 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Veeam trying to authenticate against AD with self signed certificates.

Post by Mildur »

Hello JW

Thanks for the update.
In the meantime I got an update from support management as well.
We will not provide a KB. Why not? There are two scenarios where we see certificate errors. Our support team must first confirm the scenario a customer is affected by before we can provide a solution.
One issue requires running queries in the configuration database, the other issue requires a private hotfix which can be obtained by a support case for version 12.1.1.56. We plan to include the hotfix in one of our next public patches.

Best,
Fabian
Product Management Analyst @ Veeam Software
Post Reply

Who is online

Users browsing this forum: No registered users and 32 guests