Comprehensive data protection for all workloads
Post Reply
sandsturm
Enthusiast
Posts: 93
Liked: 9 times
Joined: Mar 23, 2015 8:30 am
Contact:

Single Sign On for the Enterprise Manager

Post by sandsturm » Feb 08, 2019 3:21 pm

Hi
Is there a way to allow Single Sign on for the Enterprise Manager? Our users do not know their AD password, because we login with smartcard and PIN to our workstations and all our webapplication use some sort of Single Sign On, usually SAML 2.0 or Kerberos. We do not want all operators accessing the Veeam backup console, thus they will have the Entprise manager webinterface, but currently they are not able to logon, because they don't now their AD password. How can I enable Single Sign On for the Enterprise portal? I tried to make the necessary changes on the IIS, where the Enterprise manager runs, to allow Kerberos authentication, but was unsuccessful, the login page appears anyway.

thx,
sandsturm

nitramd
Expert
Posts: 149
Liked: 26 times
Joined: Feb 16, 2017 8:05 pm
Contact:

Re: Single Sign On for the Enterprise Manager

Post by nitramd » Feb 08, 2019 3:42 pm

Have you looked at this KB doc? https://www.veeam.com/kb2089

nmdange
Expert
Posts: 399
Liked: 91 times
Joined: Aug 20, 2015 9:30 pm
Contact:

Re: Single Sign On for the Enterprise Manager

Post by nmdange » Feb 08, 2019 4:52 pm

It should just be a matter of the site being in the Intranet Zone in Internet Explorer, and IE should pass your current Windows credentials to IIS.

sandsturm
Enthusiast
Posts: 93
Liked: 9 times
Joined: Mar 23, 2015 8:30 am
Contact:

Re: Single Sign On for the Enterprise Manager

Post by sandsturm » Feb 11, 2019 9:16 am

I don't understand the steps in https://www.veeam.com/kb2089. I don't want a formbased authentication, I want to pass through windows credentials to the website with Kerberos (NTLM is not allowed in our company). If i set WindowsAuth=false, as described in this KB, an SSO login will no be possible any more, or am I wrong?

The site i in the intranet zone within IE settings, but we usually use chrome browser, is there a similar setting there?

Gostev
SVP, Product Management
Posts: 23654
Liked: 3127 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Single Sign On for the Enterprise Manager

Post by Gostev » Feb 11, 2019 10:02 pm

Hello, SAML 2.0 support for the Enterprise Manager is planned for the next product release. Please stay in touch with your Veeam technical sales rep if you want to participate in beta, to ensure that our implementation will fit your needs. Thanks!

sandsturm
Enthusiast
Posts: 93
Liked: 9 times
Joined: Mar 23, 2015 8:30 am
Contact:

Re: Single Sign On for the Enterprise Manager

Post by sandsturm » Feb 12, 2019 6:11 am

Hi
Thanks for the answer. Besides the upcoming SAML 2.0 support, is there a way to do it via standard Windows SSSO (Kerberos)? The Enterprise Manager runs on a MS IIS and the Kerberos implementation in this case would be the easiest, if the application supports it?

thx,
sandsturm

HannesK
Veeam Software
Posts: 2354
Liked: 283 times
Joined: Sep 01, 2014 11:46 am
Location: Austria
Contact:

Re: Single Sign On for the Enterprise Manager

Post by HannesK » Feb 12, 2019 3:00 pm

Hello,
I tried it out at a customer environment that should be similar to yours (only smartcards + pin. no passwords for users).

Officially we only support NTLM today but I hoped it would work to just change the authentication mechanisms in IIS. Which settings did you configure? I only saw several hints that one should take care about the SPN.

Best regards,
Hannes

sandsturm
Enthusiast
Posts: 93
Liked: 9 times
Joined: Mar 23, 2015 8:30 am
Contact:

Re: Single Sign On for the Enterprise Manager

Post by sandsturm » Feb 13, 2019 6:18 am

The IIS settings are as following in our case:
- disable all authentication types, except windows authentication for the website (or the webserver)
- set authentication providers on "Negotiate:Kerberos" and remove the other ones
- uncheck the box for "Enable kernel mode authentication in Authentication/Advanced settings
- enable windows authentication, if not already done for the website (or the webserver)
- modify SSL settings von website and check the box "Require SSL"
- remove port 9080 from Port bindings of the website
- change port 80 for DefaultWebsite to local access only
- run the IIS application pool with a Active directory service account
- Create an spn for the above service account for the URL you want to use to access the Enterprise manager: setspn -s HTTP/EM_URL_FQDN domain\serviceaccount
- set useAppPoolCredentials = True in configuration editor of veeam website in path: system.webServer/security/authentication/windowsAuthentication

with these settings, a Kerberos authentication is possible if the application supports it :-)

HannesK
Veeam Software
Posts: 2354
Liked: 283 times
Joined: Sep 01, 2014 11:46 am
Location: Austria
Contact:

Re: Single Sign On for the Enterprise Manager

Post by HannesK » Feb 13, 2019 7:19 am

Hello,
I got a YubiKey from the customer for testing and I worked in my lab "in most cases", but not 100%

- Anonymous Authentication: Enabled (no idea why, but it was required)
- ASP.net impersonation: disabled
- Forms Authentication: disabled
- Windows Authentication: enabled (worked with following options: "Negotiate:Kerberos" only, "Negotiate + NTLM", "Negotiate" only
- no additional SPN settings, IIS runs with default settings

The problem I faced was that is does not work 100%. Sometimes after reboot it just fails. Then I restarted the "VeeamBackup" website and it worked again. I tested Windows 10 with IE (latest patch level) where I always cleared the browser cache. The FQDN was a "trusted site".

Not sure whether that helps.

Best regards,
Hannes

sandsturm
Enthusiast
Posts: 93
Liked: 9 times
Joined: Mar 23, 2015 8:30 am
Contact:

Re: Single Sign On for the Enterprise Manager

Post by sandsturm » Feb 13, 2019 7:42 am

Hi Hannes

thanks for the reply.
as long as you have anonymous authentication enabled, you have no authentication in fact, so this will work of course but users are then not authenticated....

thx
sandsturm

HannesK
Veeam Software
Posts: 2354
Liked: 283 times
Joined: Sep 01, 2014 11:46 am
Location: Austria
Contact:

Re: Single Sign On for the Enterprise Manager

Post by HannesK » Feb 13, 2019 7:45 am

I though the same, but I must have been authenticated somehow as I could only see the VMs I have permissions to. With "no authentication" (from PC that is not in the domain) I just get the login screen username / password.

But maybe I'm totally wrong :-)

sandsturm
Enthusiast
Posts: 93
Liked: 9 times
Joined: Mar 23, 2015 8:30 am
Contact:

Re: Single Sign On for the Enterprise Manager

Post by sandsturm » Feb 13, 2019 8:03 am

Yes, you see only your VM's because of the authorization from Veeam itself... but the authentication is not solved, or am I wrong?
maybe someone can bring some bright into this darkness :-)

HannesK
Veeam Software
Posts: 2354
Liked: 283 times
Joined: Sep 01, 2014 11:46 am
Location: Austria
Contact:

Re: Single Sign On for the Enterprise Manager

Post by HannesK » Feb 13, 2019 8:33 am

Yes, you see only your VM's because of the authorization from Veeam itself.
If it was stable I would say "the result is important no matter who does the job" :-)
but the authentication is not solved, or am I wrong?
As mentioned earlier, SAML support is planned for the next version - in the meantime I see no way for Kerberos SSO.

sandsturm
Enthusiast
Posts: 93
Liked: 9 times
Joined: Mar 23, 2015 8:30 am
Contact:

Re: Single Sign On for the Enterprise Manager

Post by sandsturm » Feb 18, 2019 9:36 am

okay, thank you for your answer

Post Reply

Who is online

Users browsing this forum: No registered users and 24 guests