-
- Lurker
- Posts: 2
- Liked: never
- Joined: Jan 28, 2020 9:07 pm
- Full Name: Jim
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
I am shocked that Veeam - being an enterprise BCDR solution, does not support GMSA's. I can't believe this. This is absolutely critical that this be implemented ASAP. Any environment that cares at all about security will require password expiration on all domain accounts. We will be forced to find a new BCDR solution for hundreds of VM's if this is not implemented very soon, this is a critical security flaw as far as we are concerned.
-
- Product Manager
- Posts: 14840
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
Hello,
and welcome to the forums. Yes, it's something we want to do (the request comes up more and more often, also internally). But I cannot give you a timeline yet.
Best regards,
Hannes
and welcome to the forums. Yes, it's something we want to do (the request comes up more and more often, also internally). But I cannot give you a timeline yet.
Best regards,
Hannes
-
- Lurker
- Posts: 2
- Liked: 2 times
- Joined: Feb 25, 2020 12:19 am
- Full Name: Yousef ismail
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
Lol, the amusing part is that this thread been open since 2015 and the veeam support keep saying they either looking into it or working on it. Take your time guys, what's another 5 years...
-
- Product Manager
- Posts: 14840
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
Hello Yismail,
Keep in mind we have to decide between many hundreds (literally) of pending feature requests for each version. And from more than 365.000 Veeam customers customers, there is only a few who will be using this feature... so choosing other features over this one for many years makes sense for the majority of our customers.
Best regards,
Hannes
Keep in mind we have to decide between many hundreds (literally) of pending feature requests for each version. And from more than 365.000 Veeam customers customers, there is only a few who will be using this feature... so choosing other features over this one for many years makes sense for the majority of our customers.
Best regards,
Hannes
-
- Lurker
- Posts: 2
- Liked: 2 times
- Joined: Feb 25, 2020 12:19 am
- Full Name: Yousef ismail
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
Hello Hannah,
The thing is this not a feature, this a huge security concern to your clients who are concerned about security in an age where service accounts targetd to compromise organization. Anyways it doesn't really matter, you do you guys.
The thing is this not a feature, this a huge security concern to your clients who are concerned about security in an age where service accounts targetd to compromise organization. Anyways it doesn't really matter, you do you guys.
-
- Lurker
- Posts: 2
- Liked: 1 time
- Joined: Mar 26, 2020 8:47 pm
- Full Name: Patrick Fist
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
I have the request to implement gMSA to get my company covered for a cyber risk insurance.
Leading vm backup solution provider veeam, does not support it. So sad. Time to evaluate alternatives.
Push!
Leading vm backup solution provider veeam, does not support it. So sad. Time to evaluate alternatives.
Push!
-
- Influencer
- Posts: 19
- Liked: 1 time
- Joined: Apr 10, 2020 6:02 pm
- Full Name: Evan
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
We need to be able to use gMSAs with Veeam, too. At the very least we should be able to use a gMSA for running the Veeam services.... I'm trying to perform a fresh install on a new VM that we are replacing are primary backup server with, and it tells me that the username/password is incorrect. I assume this is just because the password field is empty (which it should be for a gMSA). Other than removing that check during the setup, I bet there isn't much that would have to be changed to get gMSAs working as service accounts. This really should be added ASAP. The ability to use gMSAs for guest indexing seems quite important, too.
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
Hi, Evan. We will check why our setup does not accept these accounts. However, did you consider instead simply changing the Veeam services to use gMSA after the product has been installed using regular accounts?
-
- Influencer
- Posts: 19
- Liked: 1 time
- Joined: Apr 10, 2020 6:02 pm
- Full Name: Evan
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
I have considered that, but I was afraid there was more required than simply changing the accounts that the services run underneath. Manually changing the service accounts for a simple service is one thing. Changing the service accounts for services that run an application as complicated as Veeam is entirely different. Are there references to the service accounts in other places? Is Veeam’s current position that changing the service accounts on the Veeam services to run under a gMSA will not cause any issues with the software, as long as the gMSA has the necessary SQL permissions? Does the gMSA also need to be a local admin?
One big issue that I foresee is that the Veeam service account appears to require interactive login permissions. Or at least, when I tried to use an AD account as the Veeam service account that was denied interactive login permissions, I received an error during setup that said “the service account cannot be impersonated”. gMSAs are not allowed to perform interactive logins. Whether Veeam requires interactive logins only during the setup process (to impersonate the user account during setup), I do not know. Do the service(s) also impersonate the user account when the service(s) is/are running under the account?
As you can see, there are a lot of reasons for me to be hesitant to change the Veeam services to run under a gMSA. Are you telling me that these things that I am concerned about should not be an issue, and that simply changing the services to run underneath a gMSA should work?
One big issue that I foresee is that the Veeam service account appears to require interactive login permissions. Or at least, when I tried to use an AD account as the Veeam service account that was denied interactive login permissions, I received an error during setup that said “the service account cannot be impersonated”. gMSAs are not allowed to perform interactive logins. Whether Veeam requires interactive logins only during the setup process (to impersonate the user account during setup), I do not know. Do the service(s) also impersonate the user account when the service(s) is/are running under the account?
As you can see, there are a lot of reasons for me to be hesitant to change the Veeam services to run under a gMSA. Are you telling me that these things that I am concerned about should not be an issue, and that simply changing the services to run underneath a gMSA should work?
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
To be honest, I don't know as I never tested this. Specifying those accounts manually in the service settings simply looked like a simple solution to the fact that setup does not "understand" gMSA account. It may just work, or there could be other barriers, as you mention.
Normally, our services should use batch logon, as opposed to interactive logon.
The gMSA does need to be a local admin for sure though.
Normally, our services should use batch logon, as opposed to interactive logon.
The gMSA does need to be a local admin for sure though.
-
- Certified Trainer
- Posts: 1025
- Liked: 448 times
- Joined: Jul 23, 2012 8:16 am
- Full Name: Preben Berg
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
Interaction with repositories and guests are probably the most important candidates for this feature. However, it isn't possible to add accounts with empty passwords to the credentials manager – neither via GUI or PowerShell. Allowing it via PowerShell would be acceptable since configuring gMSAs require PowerShell anyway.
So, it might be possible to change so that Veeam Backup Service and its interaction with SQL Server use a gMSA, but personally I do not think that is largest attack vector to worry about.
Code: Select all
Add-VBRCredentials -User "int\gmsatest" -Password "" -Description "gMSA with empty password"
Add-VBRCredentials : Specify non-empty password
At line:1 char:1
+ Add-VBRCredentials -User "int\gmsatest" -Password "" -Description "gM ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Add-VBRCredentials], Exception
+ FullyQualifiedErrorId : System.Exception,Veeam.Backup.PowerShell.Cmdlets.AddVBRCredentials
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
Just to follow up on this, we tested the workaround for Veeam Backup Service specifically, and everything appears to work fine with setting its service account to gMSA manually. So, just specify some temporary account in the setup program, then come back and change it in the Services snap-in. Thanks!Gostev wrote: ↑Apr 13, 2020 12:42 pmTo be honest, I don't know as I never tested this. Specifying those accounts manually in the service settings simply looked like a simple solution to the fact that setup does not "understand" gMSA account. It may just work, or there could be other barriers, as you mention.
-
- Novice
- Posts: 3
- Liked: 1 time
- Joined: May 14, 2020 7:21 pm
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
I would also like to see support for gMSA support in Veeam backup jobs.
-
- Novice
- Posts: 9
- Liked: never
- Joined: Jul 15, 2016 5:24 pm
- Full Name: Kevin
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
+1, it's great feature
-
- Novice
- Posts: 3
- Liked: never
- Joined: Apr 03, 2019 3:54 pm
- Full Name: Tom
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
+1 for gMSA support
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
We're researching and prototyping this now.
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Aug 07, 2020 12:27 pm
- Full Name: Lloyd Smart
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
Adding my vote - I could make my setup so much more secure with this!
-
- Novice
- Posts: 9
- Liked: never
- Joined: Feb 15, 2019 8:59 am
- Full Name: Ludovic SCOTTI
- Contact:
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
No. It was fully implemented by devs some months ago, but due to lack of QC resources we could not include it in v11. Too many other new features already...
-
- Veteran
- Posts: 377
- Liked: 86 times
- Joined: Mar 17, 2015 9:50 pm
- Full Name: Aemilianus Kehler
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
Ooooo sooo close. Exciting. Thanks for the update.
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Feb 05, 2021 9:56 am
- Full Name: Oli Haine
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
Tomorrow we will celebrate the 6th anniversary of this security Feature Request....................
This proves without a single doubt that Security is not part of VEEAM's priorities at all.
OLi
This proves without a single doubt that Security is not part of VEEAM's priorities at all.
OLi
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
So tell me this then. That last time you did not buy some toy your kids asked you for... does this also prove they are "without a single doubt not a part of your priorities at all"? Even after all those hundreds of other presents you bought them, and thousands of hours you spent nurturing them since they were born?
You'd probably be very upset if someone told you this, but somehow you think it's fine to make the exact same invalid generalization about someone else's baby?
You'd probably be very upset if someone told you this, but somehow you think it's fine to make the exact same invalid generalization about someone else's baby?
-
- Novice
- Posts: 4
- Liked: 2 times
- Joined: Jan 11, 2017 10:25 am
- Full Name: Andreas Cremer
- Location: Germany
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
+1 for gMSA support. Thanks in advance!
-
- Novice
- Posts: 8
- Liked: never
- Joined: Jan 29, 2016 5:29 pm
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
We need gMSA as well.
-
- Influencer
- Posts: 11
- Liked: never
- Joined: May 11, 2018 10:05 am
- Full Name: Thomas
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
+1 for gMSA support
-
- Veteran
- Posts: 377
- Liked: 86 times
- Joined: Mar 17, 2015 9:50 pm
- Full Name: Aemilianus Kehler
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
Gostev, I don't disagree with you on that one. Such as Hardened Repos, and many other advancements. That's not to take aware from the fact this has been a VERY long time request, that MANY have asked for. It should be given a bit higher priority as it doesn't seem to becoming to fruition.
It's kind of like that boss that says thanks and your hard work will be compensated soon. Sayin' something is nice, but providing it is much better.
It's kind of like that boss that says thanks and your hard work will be compensated soon. Sayin' something is nice, but providing it is much better.
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
It certainly would, if there were no other requests which were outstanding for much longer, and asked about by many more people
Also, keep in mind that adding a feature requires developers from certain specific teams working with the affected components, not just from "a" team. While the team required for this functionality has been particularly busy in the last few releases with long-standing feature requests of much higher priority. Anyway, to be fair to them, they did manage to deliver the code just in time to include it into V11... but the issue then was our eternal lack of QC resources (especially this late in the release cycle).
-
- Veteran
- Posts: 377
- Liked: 86 times
- Joined: Mar 17, 2015 9:50 pm
- Full Name: Aemilianus Kehler
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
100% understand and agree, thanks for the insight.
-
- Novice
- Posts: 4
- Liked: never
- Joined: Feb 19, 2020 9:23 am
- Full Name: Thomas Kuster
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
+1 for gMSA support
In a large company we have to change the password of a service account in very short periods. gMSA would help us a lot to decrease the management time for Veeam B&R.
In a large company we have to change the password of a service account in very short periods. gMSA would help us a lot to decrease the management time for Veeam B&R.
-
- Novice
- Posts: 7
- Liked: never
- Joined: Feb 02, 2018 8:32 am
- Full Name: Niek Wegh
- Contact:
Re: Feature request - Managed Service Accounts. MSA and GMSA
+1 for gMSA support
We are using gMSA already within our Windows environments and the Veeam SA accounts will be the next ones to go gMSA.
Please hurry up with this support feature!
We are using gMSA already within our Windows environments and the Veeam SA accounts will be the next ones to go gMSA.
Please hurry up with this support feature!
Who is online
Users browsing this forum: No registered users and 63 guests