Maintain control of your Microsoft Office 365 email data
Post Reply
ghires
Lurker
Posts: 2
Liked: never
Joined: Mar 15, 2019 12:50 pm
Full Name: Gary Hires
Contact:

v3 - LegacyAuthProtocolIsEnabled still required?

Post by ghires » Apr 04, 2019 1:54 pm

I am unable to tell if the newest VBO v3 completely supports MFA for ALL workloads. I followed the directions outlined here (https://tsmith.co/2019/add-org-to-veeam ... h-and-mfa/) - but I'm not able to get past the "Verifying connection and organization parameters". I'm receiving an error "Check LegacyAuthProtocolsEnabled: Legacy authentication protocols are probably disabled.". Also, if I understand correctly, if I enable the LegacyAuthProtocols with PowerShell - doesn't this affect our entire SharePoint? Isn't that the whole point of enabling MFA for my organization - to eliminate potential data breaches and access to our data via older, legacy protocols?

Polina
Veeam Software
Posts: 838
Liked: 118 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Polina » Apr 04, 2019 3:48 pm

Hi Gary and welcome to the community!

While VBO v3 supports connecting to Office 365 with service accounts enabled for MFA, it indeed still requires legacy auth protocols set to enabled to be able to work with SharePoint ASMX services.
Please check this thread for more details.

ghires
Lurker
Posts: 2
Liked: never
Joined: Mar 15, 2019 12:50 pm
Full Name: Gary Hires
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by ghires » Apr 04, 2019 4:02 pm

Are there plans to remove the requirements for legacy auth in future versions of VBO?

Polina
Veeam Software
Posts: 838
Liked: 118 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Polina » Apr 04, 2019 4:22 pm

It will be possible if at some point these services (and a few others as well) become accessible via API.

Steve-nIP
Service Provider
Posts: 17
Liked: 3 times
Joined: Feb 06, 2018 10:08 am
Full Name: Steve
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Steve-nIP » Apr 05, 2019 5:32 am

I found out yesterday that SharePoint still absolutely requires LegacyAuthProtocols to be enabled in v3

Polina
Veeam Software
Posts: 838
Liked: 118 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Polina » Apr 05, 2019 9:15 am

That's correct.

wes@f1
Novice
Posts: 4
Liked: never
Joined: Apr 12, 2019 6:28 pm
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by wes@f1 » Apr 12, 2019 6:31 pm

That is disappointing. I'm a bit surprised that this is something that hasn't been worked out, though. We are currently using Barracuda Cloud-to-Cloud backup for SPO/ODB backups with legacy authentication for SPO disabled, and it continues to work fine. Their implementation is similar to the setup process for modern auth for VBO to register an Azure application, so I imagine the APIs they use should be available here too.

Gostev
SVP, Product Management
Posts: 24641
Liked: 3468 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Gostev » Apr 12, 2019 9:48 pm

No, these APIs really truly are not available through modern authentication. So, the fact that they are able to perform backup simply means they are not backing up everything that Veeam does (and you will find this out at restore).

Thinking more about this though, perhaps we should add a special backup mode [with a big warning sign] that only backs up stuff we can backup through APIs that do support modern authentication. What do you think about this idea?

wes@f1
Novice
Posts: 4
Liked: never
Joined: Apr 12, 2019 6:28 pm
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by wes@f1 » Apr 17, 2019 10:06 pm

@Gostev - I'd be interested to know what you can back up through the APIs that support modern auth. In Barracuda's case, I'm able to see all of the data I have stored across all SPO/OSB sites and successfully completed a few spot restores. I know that I don't get full fidelity site restore, but I get the contents. I did note in my test that I didn't get metadata (last modified date, modified by, etc.), but this is something we can live without. I guess I'm struggling to understand what I'm missing in my backup assuming that they can only interface with the same APIs you mention.

Regarding your suggestion - provided the data you CAN back up in your current implementation is meaningful, I don't think it is a bad move to add something like that with applicable warnings. I would probably find it more useful for documentation to specify specifically what is or what is not being backed up by that method, though.

Mike Resseler
Product Manager
Posts: 5701
Liked: 601 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Mike Resseler » Apr 18, 2019 5:13 am

@wes@f1

One example: ASMX files. These are used to create webservices in SharePoint. You can consider them legacy but in many cases they still exist and we need to support them for our customers.

wes@f1
Novice
Posts: 4
Liked: never
Joined: Apr 12, 2019 6:28 pm
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by wes@f1 » Apr 18, 2019 8:09 pm

@Mike Resseler - Thanks for the response. Can you clarify which question of mine you were providing an answer to? I realized I asked what Veeam could back up without the modern API and I also asked by extension what would not be included in that backup.

Mike Resseler
Product Manager
Posts: 5701
Liked: 601 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Mike Resseler » Apr 19, 2019 5:21 am

Actually both :-) (At least if I understood it correctly).

We strived to make sure that you can protect everything (which is API reachable) from O365 with both legacy authentication as with MFA. And as said, .ASMX files are webservices but you could call them extensions also. So if another vendor does not use the legacyauthprotocol, then those are excluded for sure. (You basically cannot query them in a modern way). But again, this is just one example, I requested the teams to create a list. And based on that list, we are going to discuss internally what to do with this.

We might (for example) decide to simply give a warning (something like: If you do not enable... then you will have no backups of A, B and C...). But it is early in my thinking (so please give us your ideas)

wes@f1
Novice
Posts: 4
Liked: never
Joined: Apr 12, 2019 6:28 pm
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by wes@f1 » Apr 19, 2019 2:05 pm

@Mike Resseler - Thanks for the clarification. I don't do SharePoint development myself, so I had to dig a bit to understand ASMX files, but it looks like they are associated with a deprecated API and that MS is pushing users toward using SOAP or REST instead. I'm curious if the items you aren't able to pick up with legacy authentication are related to deprecated areas. If that is true, it may not be prudent to attempt to back that information up by default. If you are able to share the list once it is created, I think it would help my understanding.

I like your suggestion on the option for a warning. I would envision it attempting modern auth first, generating the error that stops you, then acknowledging it with the notification about what can't be backed up before you can proceed.

Mike Resseler
Product Manager
Posts: 5701
Liked: 601 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Mike Resseler » Apr 23, 2019 5:46 am

Hey Wes,

This was discussed last week. We are indeed looking into the full list of what is not reachable through the modern way. Based on that list, we will use our data to see what is still used a lot (and we can't miss it in the backup) and what not. A solution won't be here quickly, but we are going to see what we can do for the next version.

The only thing that will always bother me in this story, is that some data won't be protected. And as an old school backup guy, I want to protect EVERYTHING :-)

Hydrogen
Novice
Posts: 7
Liked: 1 time
Joined: May 16, 2019 7:39 pm
Full Name: Darius
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Hydrogen » Jul 14, 2019 7:24 pm

What if we were to restrict legacy authentication access to just the VBO service account?

Microsoft's approach to disabling legacy authentication is to set a Conditional Access policy as mentioned throughout their Secure Score and Identity Protection Score screens. The process is described in detail in the TechNet blog link below. They do not mention disabling legacy authentication in SBO or EXO using PowerShell (even though you can).

An approach I just thought of would be to EXCLUDE the VBO service account from a organization-wide Conditional Access policy that *blocks* everyone else from using legacy authentication, *plus* a separate Conditional Access policy which *blocks* legacy authentication, but this time INCLUDES just the VBO service account *and* has a Location condition. The location is set to Include 'any' location *except* an EXCLUDED location of the public IP of the VBO server.

What this would effectively accomplish is:

1. Permit the VBO service account to use legacy authentication, but only from the designated IP address(es) in the second policy.
2. Block all other accounts from using legacy authentication, regardless of location.

https://blogs.technet.microsoft.com/clo ... protocols/

I would like to hear your thoughts on this approach.

-Darius

Polina
Veeam Software
Posts: 838
Liked: 118 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Polina » Jul 15, 2019 4:11 pm

Hi Darius,

We didn't test this scenario, but if you have a chance to try it in your environment, we'd be very interested to know the results.

Thanks!

Hydrogen
Novice
Posts: 7
Liked: 1 time
Joined: May 16, 2019 7:39 pm
Full Name: Darius
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Hydrogen » Jul 17, 2019 11:00 pm 1 person likes this post

Hello Polina (and others),

I have successfully implemented what I suggested in my previous post.

To assist Veeam and others, I have created a blog post about this with full, detailed instructions here:
https://www.liktorius.com/2019/07/17/pr ... m-vbo-365/

Warm Regards,
-Darius

Polina
Veeam Software
Posts: 838
Liked: 118 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Polina » Jul 18, 2019 10:57 am

Darius, can you please check if your link is correct? For me, it gives a 403 error.

Hydrogen
Novice
Posts: 7
Liked: 1 time
Joined: May 16, 2019 7:39 pm
Full Name: Darius
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Hydrogen » Jul 18, 2019 10:35 pm

Polina,

Yes, clicking directly on the link in my forum post sends me to the correct blog post. You should not be receiving a 403. Have you tried it from more than one computer/phone?

-Darius

Polina
Veeam Software
Posts: 838
Liked: 118 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Polina » Jul 19, 2019 5:45 am

I only tried it from one device. Now another attempt - from a different device and different network/country - ends up the same way.

Thanks

Mike Resseler
Product Manager
Posts: 5701
Liked: 601 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Mike Resseler » Jul 22, 2019 5:46 am

Unfortunately I can confirm that I get a 403 also... I tried to go to https://www.liktorius.com/ directly and search the post but the same...

Hydrogen
Novice
Posts: 7
Liked: 1 time
Joined: May 16, 2019 7:39 pm
Full Name: Darius
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Hydrogen » Jul 22, 2019 3:27 pm

Polina and Mike Resseler - Please try again.

Mike Resseler
Product Manager
Posts: 5701
Liked: 601 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Mike Resseler » Jul 24, 2019 4:59 am

Done. It works now! Thanks for this Darius, good stuff

olavl
Influencer
Posts: 11
Liked: 1 time
Joined: Jan 23, 2018 8:21 am
Full Name: OL
Contact:

[MERGED] Veam, O365 and modern auth vrs basic legacy.

Post by olavl » Sep 04, 2019 7:49 am

Reading the blogpost regarding O365 MFA + Veeam there a couple of points I found problematic.

Example:
https://www.veeam.com/blog/setup-multi- ... e-365.html
"And last but not the least, to be able to protect text, images, files, video, dynamic content and more added to your SharePoint Online modern site pages, Veeam Backup for Microsoft Office 365 requires LegacyAuthProtocolsEnabled to be set to $True. This basic authentication protocol takes effect for all your SharePoint Online organization, but it is required to work with certain specific services, such as ASMX."
....
"• AllowBasicAuthPowershell protocol must be enabled for your Veeam service account"


We very much would like to go all modern auth and disable legacy basic authentication. If I am reading this correct, that is not possible if we use Veeam to backup O365.
Are there any plans to remove the use of legaic basic authentication?

olavl
Influencer
Posts: 11
Liked: 1 time
Joined: Jan 23, 2018 8:21 am
Full Name: OL
Contact:

Re: Veam, O365 and modern auth vrs basic legacy.

Post by olavl » Sep 04, 2019 10:26 am

Why basic is bad?
https://docs.microsoft.com/en-us/dotnet ... core-6.2.0
"Conversely, Basic authentication sends a Base 64 encoded password, essentially in clear text, across the network."

Polina
Veeam Software
Posts: 838
Liked: 118 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: Veam, O365 and modern auth vrs basic legacy.

Post by Polina » Sep 04, 2019 11:08 am

Hi Olav,

First, I'm moving your posts to another thread where the similar questions are discussed.

Next, as you can see from the above posts here, legacy auth protocols are now required for VBO, but we understand your concerns and will drop this requirement as soon as its technically possible.

Also, when using basic authentication and connecting to any of the O365 endpoints, VBO encrypts all data in-transit using SSL.

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests