Excessive NTLM requests

JSi · Post by **JSi** » Oct 05, 2015 3:34 pm this post

Hello everyone,

my firewall dep. colleagues remind me about excessive use of authentication requests coming from my veeam server. It`s about 17 000 requests per day.
I have small environment - 1 Veeam server with collocated roles (Veeam B&R +Enterprise Manager, One), 4 node hyper-v cluster and 1 esxi server, about 20 jobs.
That count seems to me too high ...is it normal? Or I made a configuration mistake somewhere?

Is there a way how to use ?kerberos? and reuse tickets?

Thanx for any advice

Post by **Gostev** » Oct 05, 2015 9:00 pm this post

JSi wrote:Is there a way how to use ?kerberos? and reuse tickets?

I hope not, since ability to "reuse tickets" would mean that Kerberos has been hacked

JSi · Post by **JSi** » Oct 06, 2015 8:01 am this post

Thanx for reply Anton.

I wrote it wrong ... I thought it in that way, why it could not use kerberos ticket to reauthenticate when its needed ?

Post by **emachabert** » Oct 06, 2015 8:56 am this post

NTLM ? really ?
I would have thought that Veeam services would use the underlying kerberos authentication scheme (service tickets instead of NTLM).

Post by **Gostev** » Oct 06, 2015 8:23 pm this post

@Eric we do use Kerberos (although technically speaking, this happens on much lower level than our application - in core Windows authentication algorightms, and is transparent to us). However, obviously this is applicable to domain environments only... for any component that is located outside of Active Directory, NTLM is the only option.

@Jan service tickets are being re-used of course, but again - all of that happens on a much lower level than our product.

JSi · Post by **JSi** » Oct 07, 2015 9:36 am this post

Sorry for dumb questions but ... is it possible to create kerberos SPN for Veeam services to solve it? And if yes - is it supported?

For clarification:
Account used for Veeam services is domain based, Veeam server is also in domain. I don`t use application consistent backup (IMHO there is no need to authenticate on objects outside of active directory).

Oct 07, 2015 2:15 pm

In my understanding,
SPN are useful for targeted services. They are used when requesting the service ticket to get access to the service. Veeam services are "clients/users", they are the ones requesting service tickets to get access to remote services using remote services' SPN.

JSi · Post by **JSi** » Oct 07, 2015 2:32 pm this post

Thanx for explanation, it seems that I misunderstood SPN.

Post by **emachabert** » Nov 04, 2015 4:37 pm this post

Gostev wrote: I hope not, since ability to "reuse tickets" would mean that Kerberos has been hacked

well...I think it is becoming a concern.
I don't know if you know the french tool mimikatz, but it is just awesome. When doing penetration testing you can just blow any ActiveDirectory domain. The best one is the GoldenTicket, granting full access to an unexisting user

http://blog.gentilkiwi.com/presentations

R&D Forums

Excessive NTLM requests

Re: Excessive NTLM requests

Re: Excessive NTLM requests

Re: Excessive NTLM requests

Re: Excessive NTLM requests

Re: Excessive NTLM requests

Re: Excessive NTLM requests

Re: Excessive NTLM requests

Re: Excessive NTLM requests

Who is online