Comprehensive data protection for all workloads
Post Reply
Clayman
Novice
Posts: 4
Liked: never
Joined: Aug 29, 2017 8:06 am
Full Name: Clayman
Contact:

Application Aware Backup of Windows with Smart Card Logon

Post by Clayman » Aug 29, 2017 8:53 am

Hi all,

we have forced smart card logon on all servers, veeam application aware processing now fails to truncate sql logs due it has no smart card to logon the server.
As workaround we disable smart card logon during the backup window on these servers (with windows tasks) which is not a good solution.
The second (more secure) solution i was think off would be to truncate the logs on the server with some extra sql/windows tasks.

How you guys handle such a situation?

The Error Message:
Failed to truncate Microsoft SQL Server transaction logs. Details: Error code: 0x80004005
Failed to invoke func [TruncateSqlLogs]: Unspecified error. Failed to process 'TruncateSQLLog' command.
Failed to logon user [<veeam account>]
Win32 error:Smartcard logon is required and was not used.
Code: -2146892994
Error code: 0x80004005
Failed to invoke func [TruncateSqlLogs]: Unspecified error. Failed to process 'TruncateSQLLog' command.

Failed to logon user [<veeam account>]

Win32 error:Smartcard logon is required
cheers

clay

Gostev
SVP, Product Management
Posts: 24812
Liked: 3572 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Application Aware Backup of Windows with Smart Card Logo

Post by Gostev » Aug 29, 2017 12:54 pm

Hello, please keep in mind that smart cards are designed to secure interactive logons performed by end users - you should not apply this to service accounts, such as the one Veeam uses. Thanks!

Clayman
Novice
Posts: 4
Liked: never
Joined: Aug 29, 2017 8:06 am
Full Name: Clayman
Contact:

Re: Application Aware Backup of Windows with Smart Card Logo

Post by Clayman » Aug 29, 2017 1:43 pm

Hi,

that's correct but the smart card logon is forced by group policy on the servers and the setting is a computer setting not a user setting (Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Require smart card) so can't exclude a user.
How you accomplish this?

Thanks

clay

foggy
Veeam Software
Posts: 18287
Liked: 1568 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Application Aware Backup of Windows with Smart Card Logo

Post by foggy » Aug 29, 2017 3:12 pm

You can ask your administrators to add exceptions to this group policy, if possible, to allow service accounts to log on using user name and password.

nmdange
Expert
Posts: 469
Liked: 113 times
Joined: Aug 20, 2015 9:30 pm
Contact:

Re: Application Aware Backup of Windows with Smart Card Logo

Post by nmdange » Aug 29, 2017 4:54 pm

Sounds like the issue is Veeam is attempting to do an interactive logon and not a network or batch logon.

https://msdn.microsoft.com/en-us/librar ... s.85).aspx

Clayman
Novice
Posts: 4
Liked: never
Joined: Aug 29, 2017 8:06 am
Full Name: Clayman
Contact:

Re: Application Aware Backup of Windows with Smart Card Logo

Post by Clayman » Aug 30, 2017 6:08 am

foggy wrote:You can ask your administrators to add exceptions to this group policy, if possible, to allow service accounts to log on using user name and password.
That's not possible cause its a computer setting you can just set it on computer base not on user base.

Clayman
Novice
Posts: 4
Liked: never
Joined: Aug 29, 2017 8:06 am
Full Name: Clayman
Contact:

Re: Application Aware Backup of Windows with Smart Card Logo

Post by Clayman » Aug 30, 2017 6:10 am

nmdange wrote:Sounds like the issue is Veeam is attempting to do an interactive logon and not a network or batch logon.

https://msdn.microsoft.com/en-us/librar ... s.85).aspx
Hmm the link not working or is broken can you check the link?

Edit:

Yes Veeam try's to logon interactive to truncate the sql log.
Here is a snip from the windows security log:

Code: Select all

An account failed to log on.

Subject:
Security ID: S-1-5-18
Account Name: <Hostname>$
Account Domain: <domain>
Logon ID: 0x3E7

Logon Type: 2

Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: <veeam account>
Account Domain: <domain>

Failure Information:
Failure Reason: Smartcard logon is required and was not used.
Status: 0xC000006E
Sub Status: 0xC00002FA

Process Information:
Caller Process ID: 0x1718
Caller Process Name: C:\Windows\VeeamVssSupport\VeeamGuestHelper.exe

Network Information:
Workstation Name: <Hostname>
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 

nmdange
Expert
Posts: 469
Liked: 113 times
Joined: Aug 20, 2015 9:30 pm
Contact:

Re: Application Aware Backup of Windows with Smart Card Logo

Post by nmdange » Aug 30, 2017 6:31 pm

Sorry correct link https://msdn.microsoft.com/en-us/librar ... s.85).aspx

Yes you are correct Veeam is doing an interactive login given that the login type is "2". Veeam needs to change the value passed to the Win32 logon api to be a different value.

FECV
Novice
Posts: 5
Liked: never
Joined: Mar 24, 2016 2:23 pm
Full Name: Frederick Cooper V
Contact:

Re: Application Aware Backup of Windows with Smart Card Logo

Post by FECV » Sep 04, 2017 3:12 pm

So just an FYI smart card required settings can be set at the user or computer level or both. I have seen federal agencies justify and use both options. I like implementing at the computer level as i feel it is more secure, but then you run into issues like this. I think this should be a feature request to change the application aware processing settings for windows systems to work with logon as batch job. If this is not possible, i would like to hear the technical reason why it will not work. I have not tested this, but you may be able use the windows agent as a work around to backup the system and still get Veeam to do the truncation. Anyway plus one here for getting this changed!

Post Reply

Who is online

Users browsing this forum: Baidu [Spider], christopher-swe, FSenturk, Google [Bot] and 41 guests