Comprehensive data protection for all workloads
Post Reply
SnakeSK
Service Provider
Posts: 96
Liked: 27 times
Joined: Feb 09, 2019 5:06 pm
Contact:

Unable to add gMSA to managed server

Post by SnakeSK »

Hello,

upon trying gMSAs with Kerberos, most of it works ok (Guest Processing), however we are unable to add Hyper-V Hosts and managed servers processing under gMSA because the selection dialog only wants standard account.
HannesK
Product Manager
Posts: 14951
Liked: 3148 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Unable to add gMSA to managed server

Post by HannesK »

Hello,
yes, because gMSA accounts are only supported for application aware image processing. Not for infrastructure / managed servers.

Best regards,
Hannes
mkaec
Veteran
Posts: 470
Liked: 137 times
Joined: Jul 16, 2015 1:31 pm
Full Name: Marc K
Contact:

Re: Unable to add gMSA to managed server

Post by mkaec »

Is this a limitation of gMSAs themselves, or just more work needs to be done in B&R? It seems like gMSAs should work for administrative inventory tasks.

I almost told the team here that the recent vulnerability is a perfect example of why to move to gMSAs. That would have been embarrassing when I would then have had to go back to them and say "whoops, can't actually do it".
SnakeSK
Service Provider
Posts: 96
Liked: 27 times
Joined: Feb 09, 2019 5:06 pm
Contact:

Re: Unable to add gMSA to managed server

Post by SnakeSK »

Any plans to include this in the future releases?
HannesK
Product Manager
Posts: 14951
Liked: 3148 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Unable to add gMSA to managed server

Post by HannesK »

no plans for now. when it comes to managed servers, then a mechanism that works for Windows and Linux in the same way would probably be more useful than having gMSA support.
StoopidMonkey
Enthusiast
Posts: 41
Liked: 4 times
Joined: Nov 14, 2019 7:12 pm
Full Name: Chris Lukowski
Contact:

Re: Unable to add gMSA to managed server

Post by StoopidMonkey »

Correct me if I'm reading this wrong, but wasn't the point of gMSA support to keep any kind of cached Domain Admin credential out of the Veeam database so that an attacker wouldn't be able to extract it? If gMSAs only work for AAP and you still need a Domain Admin account to back up Hyper-V servers is anything really solved?
HannesK
Product Manager
Posts: 14951
Liked: 3148 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Unable to add gMSA to managed server

Post by HannesK »

Hello,
the goal was to support application aware processing.

For managed hosts, it would not really solve much because of the "files" section where a VBR administrator can do everything anyway (assuming four-eyes authorization is turned off).

Best regards,
Hannes
mkaec
Veteran
Posts: 470
Liked: 137 times
Joined: Jul 16, 2015 1:31 pm
Full Name: Marc K
Contact:

Re: Unable to add gMSA to managed server

Post by mkaec »

I thought the goal was to avoid having the whole domain taken over by Domain Admin credentials retrieved out of the Veeam database by a malicious actor. (That's my goal anyway.)
HannesK
Product Manager
Posts: 14951
Liked: 3148 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Unable to add gMSA to managed server

Post by HannesK »

to achieve that goal you could use a local admin for "managed servers" instead of a domain admin.
mkaec
Veteran
Posts: 470
Liked: 137 times
Joined: Jul 16, 2015 1:31 pm
Full Name: Marc K
Contact:

Re: Unable to add gMSA to managed server

Post by mkaec »

I guess I mistyped. The goal is to not need to store admin credentials in the Veeam database. Having admin credentials of the hosts compromised would still not be ideal.
HannesK
Product Manager
Posts: 14951
Liked: 3148 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Unable to add gMSA to managed server

Post by HannesK »

agree. that's where your goal and the implementation goal of the feature differ. The request to not store credentials of managed servers is valid of course and we count your request +1 đź‘Ť
Post Reply

Who is online

Users browsing this forum: cpfleger, Mildur, Semrush [Bot] and 86 guests