Comprehensive data protection for all workloads
Post Reply
TWuser
Enthusiast
Posts: 43
Liked: 9 times
Joined: Sep 07, 2021 5:37 pm
Full Name: TW
Contact:
Contact TWuser

Protected Users group for v12.3 and v13

Post by TWuser »

Our security department is pushing hard to get admin accounts in to the "Protected Users" group. Veeam v12 brought kerberos, but still has some NTLM buried in it unfortunately. Axing NTLM I thought should be on the roadmap for any application trying to be secure.

Current v12.3 documentation still states
Accounts that are members of the Protected Users Active Directory group cannot be used to access the backup server remotely over the Veeam Backup & Replication console.
Is this on the roadmap to be fixed in v13 at least? I dug in forums, etc. and haven't seen it mentioned much recently.

I did a test with my ~10ish VBR servers, and right now the console does seem to work for 9 of them, though my largest VBR server fails to log in via the console on a remote server.

I did at least see GMSA support for Veeam Explorer restores might be coming, but I would think NTLM is a higher security risk.
Top
Gostev
Chief Product Officer
Posts: 32221
Liked: 7586 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:
Contact Gostev

Re: Protected Users group for v12.3 and v13

Post by Gostev »

I'm not aware of this specific limitation, however as far as I remember, at least VBR on Linux V13 will not support NTLM technically (i.e. no corresponding module included). And since we have shared code base between Windows and Linux, it means either version will provide full functionality without "buried NTLM". I don't know if it helps!
Top
TWuser
Enthusiast
Posts: 43
Liked: 9 times
Joined: Sep 07, 2021 5:37 pm
Full Name: TW
Contact:
Contact TWuser

Re: Protected Users group for v12.3 and v13

Post by TWuser » 1 person likes this post

Thanks, that's helpful to know it's heading that way.

I'm thinking the 12.3 documentation I quoted in my initial post is outdated.
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

The only VBR server I had issues with has a split SQL database, and is using a Domain user to run the Veeam services.
Buried in the Kerberos section of documentation, I found SPN's are required, and that:
For services running under the LocalSystem account, SPNs are mapped to the Active Directory computer objects. For services, running under a dedicated Active Directory service account, SPNs are mapped to the Active Directory user objects.
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

So after I added SPN's for the User in AD, I now can use the Console remotely while my account is in the Protected Users group.
Set-ADUser -Identity "myServiceAccountUser" -ServicePrincipalNames @{Add="VeeamBackupSvc/servername.domain.com"}
Set-ADUser -Identity "myServiceAccountUser" -ServicePrincipalNames @{Add="VeeamBackupSvc/servername"}
Top
Post Reply

Return to “Veeam Backup & Replication”



Who is online

Users browsing this forum: benthomas, Bing [Bot], KoB and 185 guests