Backup failing with NTLMv2 security policy

Availability for the Always-On Enterprise

Re: Backup failing with NTLMv2 security policy

Veeam Logoby Andreas Neufert » Fri Oct 21, 2016 7:22 pm 1 person likes this post

Based on internal and external feedback NTLMv2 only processing should work with actual versions. Kerberos only processing (disabled NTLM) has some limitations when not everything is in the same domain.

I just guess here at that point that Veeam will leave the authentication as is (extreme good and stable experience over the last 5 years) and will use Kerberos only processing as fallback. But this is only me guessing.
If this feature requests will make it into any update or v10 we will see and we have to wait on official feedback from our product management. As v10 features are not finalized yet it will take some time to say.

If you just read this post and are in the same situation please add your feedback here.
Andreas Neufert
Veeam Software
 
Posts: 2676
Liked: 453 times
Joined: Wed May 04, 2011 8:36 am
Location: Germany
Full Name: @AndyandtheVMs Veeam PM

Re: Backup failing with NTLMv2 security policy

Veeam Logoby sandsturm » Sat Oct 22, 2016 12:52 pm

Based on internal and external feedback NTLMv2 only processing should work with actual versions. Kerberos only processing (disabled NTLM) has some limitations when not everything is in the same domain.

Do you mean 9.5 with actual version? Because Version 9 does not work with disabled NTLM, even everything is in the same domain.
sandsturm
Enthusiast
 
Posts: 48
Liked: 1 time
Joined: Mon Mar 23, 2015 8:30 am

Re: Backup failing with NTLMv2 security policy

Veeam Logoby Andreas Neufert » Sun Oct 23, 2016 7:20 am 1 person likes this post

NTLM v1 disabled should work with v9 and 9.5

Kerberos only is something that Veeam discusses for one of the next versions. v10 features are not finalized yet. It is too soon to say.
Andreas Neufert
Veeam Software
 
Posts: 2676
Liked: 453 times
Joined: Wed May 04, 2011 8:36 am
Location: Germany
Full Name: @AndyandtheVMs Veeam PM

Re: Backup failing with NTLMv2 security policy

Veeam Logoby tsightler » Sun Oct 23, 2016 5:17 pm 1 person likes this post

sandsturm wrote:Do you mean 9.5 with actual version? Because Version 9 does not work with disabled NTLM, even everything is in the same domain.

I think the confusion comes because this thread started off referring to issues with disabling NTLMv1 and LM (the thread title is about NTLMv2). For example, even you original post on Oct 13th says:

sandsturm wrote:But as you said, Veeam Backup does not work with disabled NTLM (v1).

I'm not aware of any issues with NTLMv2 in current versions, for example, even my lab environment runs with "Send NTLMv2 response only/refuse LM and NTLM" set in the global domain policy.

There are certainly known issues when policies disable all NTLM versions.
tsightler
Veeam Software
 
Posts: 5090
Liked: 2008 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: Backup failing with NTLMv2 security policy

Veeam Logoby signal » Fri Jan 19, 2018 8:49 am

With the domain using NTLMv2 and refusing LM and NTLM I'm having trouble with the console connecting from windows 7 client to VBR 9.5 on Windows Server 2012 R2. Eventlog shows messages about failed logins. Enabling NTLM, and still refusing LM) resolves the issue, but the security manager wants NTLMv2 only. Is there a way to solve this?
signal
Enthusiast
 
Posts: 53
Liked: 3 times
Joined: Thu Oct 06, 2016 1:19 pm

Re: Backup failing with NTLMv2 security policy

Veeam Logoby signal » Wed Mar 07, 2018 2:26 pm

Any feedback here?
signal
Enthusiast
 
Posts: 53
Liked: 3 times
Joined: Thu Oct 06, 2016 1:19 pm

Re: Backup failing with NTLMv2 security policy

Veeam Logoby tsightler » Wed Mar 07, 2018 2:57 pm 1 person likes this post

Assuming you've rebooted everything after the change, and the change is implemented on both the Veeam servers, as well as domain controllers and clients, I see no reason why it should not work. Here's a setup of the local policy enforced on my Veeam server, as well as all servers in my environment:

Image

Pretty much every environment I work in has NTLMv2 enforced and I can't remember having any issues in the last few years. I guess there could always be some corner case, but I'd suggest opening a ticket.
tsightler
Veeam Software
 
Posts: 5090
Liked: 2008 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: Backup failing with NTLMv2 security policy

Veeam Logoby signal » Thu Mar 08, 2018 12:52 pm

tsightler wrote:Assuming you've rebooted everything after the change, and the change is implemented on both the Veeam servers, as well as domain controllers and clients, I see no reason why it should not work.

tsightler wrote:Pretty much every environment I work in has NTLMv2 enforced and I can't remember having any issues in the last few years. I guess there could always be some corner case, but I'd suggest opening a ticket.


This was in fact a problem with the client (Windows 7) having the setting lower (level 2, I think), and it needs to be level 3 or higher. No one had changed it, so this looks like it may be the default on Windows 7. This has been changed to force v2, and then it works.

Thanks for the feedback, even though we found the solution before I saw the reply. :roll:
signal
Enthusiast
 
Posts: 53
Liked: 3 times
Joined: Thu Oct 06, 2016 1:19 pm

Previous

Return to Veeam Backup & Replication



Who is online

Users browsing this forum: Google [Bot], JimmyO, Samba222 and 77 guests