Comprehensive data protection for all workloads
Post Reply
DeadEyedJacks
Veeam ProPartner
Posts: 141
Liked: 26 times
Joined: Oct 12, 2015 2:55 pm
Full Name: Dead-Data
Location: UK
Contact:

AD Protected User can't use Veeam Console remotely

Post by DeadEyedJacks » 1 person likes this post

Hi,
Is it expected behaviour that an Active directory user who is in the "Protected Users" group is unable to connect to Veeam Backup and Replication server when launching console from a remote server?
"Failed to connect to Veeam Backup & Replication Server: The logon attempt failed"
NB As soon as user account is removed from "Protected Users" you are able to connect.
TIA
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: AD Protected User can't use Veeam Console remotely

Post by foggy »

Most likely it is NTLM authentication, which is not allowed for "Protected Users" group members while required when connecting remotely. We will add this note to the corresponding documentation section, thanks for the heads up!
hke
Novice
Posts: 6
Liked: never
Joined: Oct 08, 2019 11:48 am
Contact:

Re: AD Protected User can't use Veeam Console remotely

Post by hke »

Will this issue (lack of Kerberos support for console connections) be fixed or just documented?

As you know, NTLM authentication is much weaker than Kerberos and protecting critical backup assets from passed hashes and other exploits is a top priority for many customers.
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: AD Protected User can't use Veeam Console remotely

Post by foggy »

Yes, we have a requirement to support Kerberos-only authentication for backup infrastructure connections logged for the future versions.
AOK-BV
Novice
Posts: 8
Liked: never
Joined: Dec 18, 2014 9:30 am
Full Name: AOK-BV
Contact:

Re: AD Protected User can't use Veeam Console remotely

Post by AOK-BV »

+1
We have the same issue.
komzolkin
Lurker
Posts: 1
Liked: never
Joined: Feb 09, 2017 3:05 pm
Full Name: Konstantin Komzolkin
Contact:

Re: AD Protected User can't use Veeam Console remotely

Post by komzolkin »

foggy wrote: Oct 11, 2019 2:38 pm Yes, we have a requirement to support Kerberos-only authentication for backup infrastructure connections logged for the future versions.
+1 for the FR
hke
Novice
Posts: 6
Liked: never
Joined: Oct 08, 2019 11:48 am
Contact:

Re: AD Protected User can't use Veeam Console remotely

Post by hke »

Any update on this? Veeam (and all other backup systems) are prime targets for ransomware operators. Protected Users group (i.e., Kerberos-only logins) is a frequently-recommended protection for admin accounts.

The way things stand now, you can't have a very secure admin ID if you also use Veeam (from anywhere other than the VBR server - which raises even more security issues).
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: AD Protected User can't use Veeam Console remotely

Post by Vitaliy S. »

Hi hke,

The update is the following > currently, we are in the investigation stage (what is required from the RnD team standpoint to support it). As to when Kerberos support will be added to the product, then I cannot share any ETA yet.

Thanks!
rvjr
Novice
Posts: 3
Liked: never
Joined: Sep 08, 2021 3:48 pm
Full Name: Rainer
Contact:

Re: AD Protected User can't use Veeam Console remotely

Post by rvjr »

Ping... any update on this? As far as I can see it's still not working in the latests v11.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: AD Protected User can't use Veeam Console remotely

Post by Vitaliy S. »

Hi Rainer,

Yes, you're correct. This functionality is not part of the v11 release. Plans are to introduce this functionality (Kerberos support) in our next major versions.

Thanks!
joebranca
Enthusiast
Posts: 49
Liked: never
Joined: Oct 28, 2015 9:36 pm
Full Name: Joe Brancaleone
Contact:

Re: AD Protected User can't use Veeam Console remotely

Post by joebranca »

Did I hear right that Kerberos only authentication is confirmed included in v12?
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: AD Protected User can't use Veeam Console remotely

Post by Vitaliy S. »

Yes, that's correct > NTLM and Kerberos
Post Reply

Who is online

Users browsing this forum: Bing [Bot], Semrush [Bot] and 242 guests