Comprehensive data protection for all workloads
Post Reply
shayani
Lurker
Posts: 2
Liked: never
Joined: Apr 09, 2018 8:35 am
Full Name: Shayani
Contact:

Feature request: Kerberos only authentication

Post by shayani » Apr 09, 2018 9:24 am

I have discussed with Veeam support and apparently there is no way to use only Kerberos authentication with Veeam. Therefore, if you're planning to have a NTLM free environment, Veeam would be out of the equation. The following services do not seem to work in Kerberos:
  • 1) File indexing
    2) File restoration
I'm starting this thread to request for the feature to be in the next release of Veeam B&R. It is high time for Veeam to catch up with the latest Enterprise security standards.

Vitaliy S.
Product Manager
Posts: 23301
Liked: 1633 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Feature request: Kerberos only authentication

Post by Vitaliy S. » Apr 09, 2018 3:28 pm 1 person likes this post

Hello Shayani,

This functionality is in our high priority feature list. Based on your scenario you would need to have this type of authentication available for guest processing services (application aware processing), right?

Thank you for the FR.

shayani
Lurker
Posts: 2
Liked: never
Joined: Apr 09, 2018 8:35 am
Full Name: Shayani
Contact:

Re: Feature request: Kerberos only authentication

Post by shayani » Apr 11, 2018 2:06 pm

Yes. Thanks for your reply. And please post any updates.

dsegel
Influencer
Posts: 18
Liked: never
Joined: Aug 09, 2017 3:51 pm
Full Name: Daniel Segel
Contact:

Re: Feature request: Kerberos only authentication

Post by dsegel » Apr 17, 2019 2:42 pm

Any updates on if/when NTLM will be going away as a requirement in Veeam? My security admin is pushing to disable it everywhere.

We're running Hyper-V if it matters.

Gostev
SVP, Product Management
Posts: 25295
Liked: 3761 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request: Kerberos only authentication

Post by Gostev » Apr 17, 2019 2:48 pm

Support for Kerberos-only authentication for guest connections was added in Update 4, see What's New for more details.

dsegel
Influencer
Posts: 18
Liked: never
Joined: Aug 09, 2017 3:51 pm
Full Name: Daniel Segel
Contact:

Re: Feature request: Kerberos only authentication

Post by dsegel » Apr 17, 2019 2:52 pm

Unless I'm reading it wrong, it says that's for vSphere only. As I said, we're running Hyper-V.

Gostev
SVP, Product Management
Posts: 25295
Liked: 3761 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request: Kerberos only authentication

Post by Gostev » Apr 17, 2019 3:16 pm

Ah, sorry. Moved to the correct forum and asked for clarification why it says vSphere only, since guest processing is not hypervisor-specific logic AFAIK.

Gostev
SVP, Product Management
Posts: 25295
Liked: 3761 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request: Kerberos only authentication

Post by Gostev » Apr 17, 2019 4:02 pm

Checked with the devs and apparently unlike VMware, Hyper-V does not return FQDN of the guest - while Kerberos authentication is impossible without FQDN.

dsegel
Influencer
Posts: 18
Liked: never
Joined: Aug 09, 2017 3:51 pm
Full Name: Daniel Segel
Contact:

Re: Feature request: Kerberos only authentication

Post by dsegel » Apr 19, 2019 4:27 pm

Yup, I just discovered this myself when all the backups on our test system failed last night.

Veeam can't even connect to the host server, nevermind the guest VMs.

Any ideas for workarounds or other possibilities for ditching NTLM for Hyper-V in the future?

Thanks.

hke
Lurker
Posts: 2
Liked: never
Joined: Oct 08, 2019 11:48 am
Contact:

Re: Feature request: Kerberos only authentication

Post by hke » Oct 08, 2019 11:57 am

There's a similar issue with the console. Administrators in the Windows Protected Users group (which makes users Kerberos-only) can't connect.

veeam-backup-replication-f2/ad-protecte ... 56276.html

benthomas
Service Provider
Posts: 17
Liked: never
Joined: Apr 22, 2013 2:29 am
Full Name: Ben Thomas
Location: New Zealand
Contact:

Re: Feature request: Kerberos only authentication

Post by benthomas » Oct 29, 2019 2:21 am

Gostev wrote:
Apr 17, 2019 4:02 pm
Checked with the devs and apparently unlike VMware, Hyper-V does not return FQDN of the guest - while Kerberos authentication is impossible without FQDN.
I'm sorry @Gostev but Hyper-V guests do return their FQDNs....
The KVP exchange exposes the guest FQDN property to the host. I've just tested and confirmed this on both WS2016 and WS2019 hosts.

Gostev
SVP, Product Management
Posts: 25295
Liked: 3761 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request: Kerberos only authentication

Post by Gostev » Oct 29, 2019 10:33 pm

I looked up that email thread with the devs again, and they did mention KVP there... but, in a bad light. They said it's very unreliable, as in many labs the content of FQDN field was empty. So unfortunately, this not something we can rely on for the production code.

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 24 guests