Application Aware Backup of Windows with Smart Card Logon

Availability for the Always-On Enterprise

Application Aware Backup of Windows with Smart Card Logon

Veeam Logoby Clayman » Tue Aug 29, 2017 8:53 am

Hi all,

we have forced smart card logon on all servers, veeam application aware processing now fails to truncate sql logs due it has no smart card to logon the server.
As workaround we disable smart card logon during the backup window on these servers (with windows tasks) which is not a good solution.
The second (more secure) solution i was think off would be to truncate the logs on the server with some extra sql/windows tasks.

How you guys handle such a situation?

The Error Message:
Failed to truncate Microsoft SQL Server transaction logs. Details: Error code: 0x80004005
Failed to invoke func [TruncateSqlLogs]: Unspecified error. Failed to process 'TruncateSQLLog' command.
Failed to logon user [<veeam account>]
Win32 error:Smartcard logon is required and was not used.
Code: -2146892994
Error code: 0x80004005
Failed to invoke func [TruncateSqlLogs]: Unspecified error. Failed to process 'TruncateSQLLog' command.

Failed to logon user [<veeam account>]

Win32 error:Smartcard logon is required


cheers

clay
Clayman
Novice
 
Posts: 4
Liked: never
Joined: Tue Aug 29, 2017 8:06 am
Full Name: Clayman

Re: Application Aware Backup of Windows with Smart Card Logo

Veeam Logoby Gostev » Tue Aug 29, 2017 12:54 pm

Hello, please keep in mind that smart cards are designed to secure interactive logons performed by end users - you should not apply this to service accounts, such as the one Veeam uses. Thanks!
Gostev
Veeam Software
 
Posts: 21622
Liked: 2411 times
Joined: Sun Jan 01, 2006 1:01 am
Location: Baar, Switzerland

Re: Application Aware Backup of Windows with Smart Card Logo

Veeam Logoby Clayman » Tue Aug 29, 2017 1:43 pm

Hi,

that's correct but the smart card logon is forced by group policy on the servers and the setting is a computer setting not a user setting (Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Require smart card) so can't exclude a user.
How you accomplish this?

Thanks

clay
Clayman
Novice
 
Posts: 4
Liked: never
Joined: Tue Aug 29, 2017 8:06 am
Full Name: Clayman

Re: Application Aware Backup of Windows with Smart Card Logo

Veeam Logoby foggy » Tue Aug 29, 2017 3:12 pm

You can ask your administrators to add exceptions to this group policy, if possible, to allow service accounts to log on using user name and password.
foggy
Veeam Software
 
Posts: 15303
Liked: 1133 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: Application Aware Backup of Windows with Smart Card Logo

Veeam Logoby nmdange » Tue Aug 29, 2017 4:54 pm

Sounds like the issue is Veeam is attempting to do an interactive logon and not a network or batch logon.

https://msdn.microsoft.com/en-us/librar ... 29(v=vs.85).aspx
nmdange
Expert
 
Posts: 233
Liked: 60 times
Joined: Thu Aug 20, 2015 9:30 pm

Re: Application Aware Backup of Windows with Smart Card Logo

Veeam Logoby Clayman » Wed Aug 30, 2017 6:08 am

foggy wrote:You can ask your administrators to add exceptions to this group policy, if possible, to allow service accounts to log on using user name and password.

That's not possible cause its a computer setting you can just set it on computer base not on user base.
Clayman
Novice
 
Posts: 4
Liked: never
Joined: Tue Aug 29, 2017 8:06 am
Full Name: Clayman

Re: Application Aware Backup of Windows with Smart Card Logo

Veeam Logoby Clayman » Wed Aug 30, 2017 6:10 am

nmdange wrote:Sounds like the issue is Veeam is attempting to do an interactive logon and not a network or batch logon.

https://msdn.microsoft.com/en-us/librar ... 29(v=vs.85).aspx


Hmm the link not working or is broken can you check the link?

Edit:

Yes Veeam try's to logon interactive to truncate the sql log.
Here is a snip from the windows security log:

Code: Select all
An account failed to log on.

Subject:
Security ID: S-1-5-18
Account Name: <Hostname>$
Account Domain: <domain>
Logon ID: 0x3E7

Logon Type: 2

Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: <veeam account>
Account Domain: <domain>

Failure Information:
Failure Reason: Smartcard logon is required and was not used.
Status: 0xC000006E
Sub Status: 0xC00002FA

Process Information:
Caller Process ID: 0x1718
Caller Process Name: C:\Windows\VeeamVssSupport\VeeamGuestHelper.exe

Network Information:
Workstation Name: <Hostname>
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Clayman
Novice
 
Posts: 4
Liked: never
Joined: Tue Aug 29, 2017 8:06 am
Full Name: Clayman

Re: Application Aware Backup of Windows with Smart Card Logo

Veeam Logoby nmdange » Wed Aug 30, 2017 6:31 pm

Sorry correct link https://msdn.microsoft.com/en-us/library/windows/desktop/aa380129(v=vs.85).aspx

Yes you are correct Veeam is doing an interactive login given that the login type is "2". Veeam needs to change the value passed to the Win32 logon api to be a different value.
nmdange
Expert
 
Posts: 233
Liked: 60 times
Joined: Thu Aug 20, 2015 9:30 pm

Re: Application Aware Backup of Windows with Smart Card Logo

Veeam Logoby FECV » Mon Sep 04, 2017 3:12 pm

So just an FYI smart card required settings can be set at the user or computer level or both. I have seen federal agencies justify and use both options. I like implementing at the computer level as i feel it is more secure, but then you run into issues like this. I think this should be a feature request to change the application aware processing settings for windows systems to work with logon as batch job. If this is not possible, i would like to hear the technical reason why it will not work. I have not tested this, but you may be able use the windows agent as a work around to backup the system and still get Veeam to do the truncation. Anyway plus one here for getting this changed!
FECV
Novice
 
Posts: 4
Liked: never
Joined: Thu Mar 24, 2016 2:23 pm
Full Name: Frederick Cooper V


Return to Veeam Backup & Replication



Who is online

Users browsing this forum: No registered users and 1 guest