Backup failing with NTLMv2 security policy

Availability for the Always-On Enterprise

Backup failing with NTLMv2 security policy

Veeam Logoby m.novelli » Sat Dec 06, 2014 12:20 pm

Hi friends, I've set in my AD Domain the security policy "Security Settings > Local Policies > Security Options > Network Security: LAN Manager authentication level" to "Send NTLMv2 response only/refuse LM and NTLM" and then Veeam Backups started to fail with logon errors to all Windows VMs

I've reverted back the policy to the standard "Send NTLM response only" and backups started to work again

Is this a limitation in Veeam Backup or in Windows handshake? With this policy set to maximum security level I can successfully browse administrative shared, but Veeam fails with error "Processing XXXVM Error: Failed to connect to guest agent. Errors: 'Cannot connect to the host's administrative share. Host: [10.0.0.3]. Account: [administrator]. Win32 error:The user name or password is incorrect. Code: 1326

My Veeam Backup is running on Windows 2012 R2, my VM are both Windows 2008 R2 and Windows 2012 R2

Thanks for any advice!

Marco
m.novelli
Veeam ProPartner
 
Posts: 299
Liked: 35 times
Joined: Tue Dec 29, 2009 12:48 pm
Location: Asti - Italy
Full Name: Marco Novelli

Re: Backup failing with NTLMv2 security policy

Veeam Logoby Gostev » Sat Dec 06, 2014 9:21 pm

Hi, Marco. Please, open a support case for investigation, as this cannot be troubleshoot over forum posts. Thanks!
Gostev
Veeam Software
 
Posts: 21390
Liked: 2349 times
Joined: Sun Jan 01, 2006 1:01 am
Location: Baar, Switzerland

Re: Backup failing with NTLMv2 security policy

Veeam Logoby cstemaly » Wed Jan 07, 2015 2:45 pm

I sent a PM to the original poster as well in case he doesn't see this, but I would like to know what the outcome was, if any, as I have the same issue. It will save Veeam a support call :)
cstemaly
Enthusiast
 
Posts: 50
Liked: 6 times
Joined: Fri Aug 17, 2012 12:31 pm

Re: Backup failing with NTLMv2 security policy

Veeam Logoby foggy » Wed Jan 07, 2015 2:50 pm

There's no OP's case ID here, so a better way to know the outcome is either contact him or support directly.
foggy
Veeam Software
 
Posts: 14742
Liked: 1079 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: Backup failing with NTLMv2 security policy

Veeam Logoby cstemaly » Wed Jan 07, 2015 3:25 pm 1 person likes this post

OP did not call support. I did, and will report my finding. Case ID is 00721563
cstemaly
Enthusiast
 
Posts: 50
Liked: 6 times
Joined: Fri Aug 17, 2012 12:31 pm

Re: Backup failing with NTLMv2 security policy

Veeam Logoby cstemaly » Wed Jan 07, 2015 8:13 pm 2 people like this post

Turning off NTLM is not supported. See my case communication below.

My support case details:
I turned NTLM off on an unused Windows 2012 SQL server by doing this:
Open gpedit.msc (local group policy) and navigate to:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Change the policy "Network Security: Restrict NTLM: Incoming NTLM Traffic" to "Deny all accounts"

My server functioned properly afterwards, but Veeam backups failed (they're application-aware backups) due to not being able to connect to the administrative shares.

The Veeam B&R Server (v8 patch 1 running on Server 2008R2) IS able to browse via UNC path to the admin shares, though.

Is this a known issue? Are there any workarounds?

==============================================================================================================================

Response from support:
The method you use to browse to that path isn't the same method we have to use through an application. We use an RPC to access that share.

If you check your Event Viewer on the Windows 2012 SQL server and browse to the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM you'll likely see an event like the following;

==Begin Event==
NTLM server blocked: Incoming NTLM traffic to servers that is blocked Calling process PID: 596 Calling process name: C:\Windows\System32\svchost.exe Calling process LUID: 0x3E4 Calling process user identity: RS-PROXYV7$ Calling process domain identity: SSA Mechanism OID: (NULL)

NTLM authentication requests to this server have been blocked.

If you want this server to allow NTLM authentication, set the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic to Allow all.
==End Event==

The option you've described is incompatible with Application Aware Image Processing as we need to access the Administrative Share via RPC commands that use NTLM to authenticate.
cstemaly
Enthusiast
 
Posts: 50
Liked: 6 times
Joined: Fri Aug 17, 2012 12:31 pm

Re: Backup failing with NTLMv2 security policy

Veeam Logoby KevinK » Mon Jan 12, 2015 9:06 am 1 person likes this post

We have "Send NTLMv2 response only/refuse LM and NTLM" set without backup issues. Application processing and indexing enabled. 2003/2008
KevinK
Enthusiast
 
Posts: 28
Liked: 10 times
Joined: Wed Apr 24, 2013 9:18 am
Full Name: Kevin Kissack

Re: Backup failing with NTLMv2 security policy

Veeam Logoby jlockie » Wed Dec 23, 2015 10:14 pm

cstemaly wrote:Turning off NTLM is not supported. See my case communication below.

The option you've described is incompatible with Application Aware Image Processing as we need to access the Administrative Share via RPC commands that use NTLM to authenticate.


Seriously? That is it? No alternative option here? No agent path, no nothing? Just...."do away with your domain security, all your domain belong to us"?

Very discouraged to read this.

I hope they understand why we are rejecting LM and NTLM auth requests? Think about it for two seconds. As a backup solution you are asking for administrative access to the systems you are backing up. OK, that's fine and understandable. Given that, you should provide a solution that sticks to best practices when protecting such privileged accounts, right? It's a joke if you are logging in as an administrator (domain or local) and allowing LM auth. Ever hear of wdigest? :roll:
jlockie
Novice
 
Posts: 7
Liked: never
Joined: Wed Dec 23, 2015 9:41 pm
Full Name: John Lockie

Re: Backup failing with NTLMv2 security policy

Veeam Logoby jlockie » Thu Dec 24, 2015 4:57 pm

Here is the guidance from Microsoft regarding LM and NTLM use: https://support.microsoft.com/en-us/kb/2793313
jlockie
Novice
 
Posts: 7
Liked: never
Joined: Wed Dec 23, 2015 9:41 pm
Full Name: John Lockie

Re: Backup failing with NTLMv2 security policy

Veeam Logoby mma » Thu Oct 13, 2016 9:56 am

Hello Veeam

Is this still not possible in 2016? :shock:

Regards
Marcel
mma
Service Provider
 
Posts: 58
Liked: 10 times
Joined: Thu Dec 22, 2011 9:12 am
Location: Lucerne, Switzerland
Full Name: Marcel

Re: Backup failing with NTLMv2 security policy

Veeam Logoby sandsturm » Thu Oct 13, 2016 6:07 pm

It's good to see that I'm not the only one with this problem. We don't allow any NTLM version, because NTLM is a protocol deployed the first time with Windows NT... and what year do we have actually? The hash algorithmus used whithin NTLM Is not considered safe in 2016. (MD4 for NTLM v1 and MD5 for NTLM V2) For this reason we allow Kerberos authentication only in our environment and no more NTLM. But as you said, Veeam Backup does not work with disabled NTLM (v1). So please, enable the possibility for a timely authentication mechanism in Veeam, because we don't have any Windows NT installations any more ;-)
Veeam as a backup software provider must have a serious interest in using timely mechanisms to increase the security level...
sandsturm
Enthusiast
 
Posts: 35
Liked: 1 time
Joined: Mon Mar 23, 2015 8:30 am

Re: Backup failing with NTLMv2 security policy

Veeam Logoby mma » Fri Oct 14, 2016 8:40 am

It's even worse if you have to use VIX instead of admin$ and have UAC enabled.
In this case you have to use the builtin administrator (.\administrator or domain\administrator)
mma
Service Provider
 
Posts: 58
Liked: 10 times
Joined: Thu Dec 22, 2011 9:12 am
Location: Lucerne, Switzerland
Full Name: Marcel

Re: Backup failing with NTLMv2 security policy

Veeam Logoby primeaum » Fri Oct 21, 2016 11:42 am 1 person likes this post

Veeam needs to find a way to support application aware processing with NTLM disabled. We have NTLM disabled on our whole domain and cannot use AAP to backup our SQL servers. Hopefully the engineering team can see that this is an issue and figure out a way to make AAP work in the future without NTLM being required.
primeaum
Lurker
 
Posts: 1
Liked: 1 time
Joined: Fri Oct 21, 2016 11:38 am

Re: Backup failing with NTLMv2 security policy

Veeam Logoby Andreas Neufert » Fri Oct 21, 2016 6:05 pm

mma wrote:It's even worse if you have to use VIX instead of admin$ and have UAC enabled.
In this case you have to use the builtin administrator (.\administrator or domain\administrator)


Agree on the whole request, but let me add here that the VIX limitation is by design of VMware Tools and the way it is integrated into windows and usage of acconts for their services. So this limtation will stay till vmware changes vmware tools.

As well let me please add that we discuss this whole point as well internally. Changes in the Guest Interaction process potentially affect 2.000.000+ backed up VMs which use Guest Interaction and changes there will be handled with best care from the core team at R&D and QC.
Andreas Neufert
Veeam Software
 
Posts: 2201
Liked: 360 times
Joined: Wed May 04, 2011 8:36 am
Location: Germany
Full Name: @AndyandtheVMs Veeam PM

Re: Backup failing with NTLMv2 security policy

Veeam Logoby sandsturm » Fri Oct 21, 2016 6:44 pm

As well let me please add that we discuss this whole point as well internally. Changes in the Guest Interaction process potentially affect 2.000.000+ backed up VMs which use Guest Interaction and changes there will be handled with best care from the core team at R&D and QC.

Good care from R&D and QC in this topic is very important. It looks like you're on an implementation for it? Can you say a little bit more about it? Progress or approx. release date?
This would be really great and for me absolutely elementary to deploy VEEAM as a backup solution for the whole company (approximately 120 ESXi hosts) and nonetheless with a Kerberos implementation you'll keep your software on an appropriate and timely level of security...
sandsturm
Enthusiast
 
Posts: 35
Liked: 1 time
Joined: Mon Mar 23, 2015 8:30 am

Next

Return to Veeam Backup & Replication



Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 15 guests