-
- Service Provider
- Posts: 96
- Liked: 27 times
- Joined: Feb 09, 2019 5:06 pm
- Contact:
Unable to add gMSA to managed server
Hello,
upon trying gMSAs with Kerberos, most of it works ok (Guest Processing), however we are unable to add Hyper-V Hosts and managed servers processing under gMSA because the selection dialog only wants standard account.
upon trying gMSAs with Kerberos, most of it works ok (Guest Processing), however we are unable to add Hyper-V Hosts and managed servers processing under gMSA because the selection dialog only wants standard account.
-
- Product Manager
- Posts: 14951
- Liked: 3148 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Unable to add gMSA to managed server
Hello,
yes, because gMSA accounts are only supported for application aware image processing. Not for infrastructure / managed servers.
Best regards,
Hannes
yes, because gMSA accounts are only supported for application aware image processing. Not for infrastructure / managed servers.
Best regards,
Hannes
-
- Veteran
- Posts: 470
- Liked: 137 times
- Joined: Jul 16, 2015 1:31 pm
- Full Name: Marc K
- Contact:
Re: Unable to add gMSA to managed server
Is this a limitation of gMSAs themselves, or just more work needs to be done in B&R? It seems like gMSAs should work for administrative inventory tasks.
I almost told the team here that the recent vulnerability is a perfect example of why to move to gMSAs. That would have been embarrassing when I would then have had to go back to them and say "whoops, can't actually do it".
I almost told the team here that the recent vulnerability is a perfect example of why to move to gMSAs. That would have been embarrassing when I would then have had to go back to them and say "whoops, can't actually do it".
-
- Service Provider
- Posts: 96
- Liked: 27 times
- Joined: Feb 09, 2019 5:06 pm
- Contact:
Re: Unable to add gMSA to managed server
Any plans to include this in the future releases?
-
- Product Manager
- Posts: 14951
- Liked: 3148 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Unable to add gMSA to managed server
no plans for now. when it comes to managed servers, then a mechanism that works for Windows and Linux in the same way would probably be more useful than having gMSA support.
-
- Enthusiast
- Posts: 41
- Liked: 4 times
- Joined: Nov 14, 2019 7:12 pm
- Full Name: Chris Lukowski
- Contact:
Re: Unable to add gMSA to managed server
Correct me if I'm reading this wrong, but wasn't the point of gMSA support to keep any kind of cached Domain Admin credential out of the Veeam database so that an attacker wouldn't be able to extract it? If gMSAs only work for AAP and you still need a Domain Admin account to back up Hyper-V servers is anything really solved?
-
- Product Manager
- Posts: 14951
- Liked: 3148 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Unable to add gMSA to managed server
Hello,
the goal was to support application aware processing.
For managed hosts, it would not really solve much because of the "files" section where a VBR administrator can do everything anyway (assuming four-eyes authorization is turned off).
Best regards,
Hannes
the goal was to support application aware processing.
For managed hosts, it would not really solve much because of the "files" section where a VBR administrator can do everything anyway (assuming four-eyes authorization is turned off).
Best regards,
Hannes
-
- Veteran
- Posts: 470
- Liked: 137 times
- Joined: Jul 16, 2015 1:31 pm
- Full Name: Marc K
- Contact:
Re: Unable to add gMSA to managed server
I thought the goal was to avoid having the whole domain taken over by Domain Admin credentials retrieved out of the Veeam database by a malicious actor. (That's my goal anyway.)
-
- Product Manager
- Posts: 14951
- Liked: 3148 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Unable to add gMSA to managed server
to achieve that goal you could use a local admin for "managed servers" instead of a domain admin.
-
- Veteran
- Posts: 470
- Liked: 137 times
- Joined: Jul 16, 2015 1:31 pm
- Full Name: Marc K
- Contact:
Re: Unable to add gMSA to managed server
I guess I mistyped. The goal is to not need to store admin credentials in the Veeam database. Having admin credentials of the hosts compromised would still not be ideal.
-
- Product Manager
- Posts: 14951
- Liked: 3148 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Unable to add gMSA to managed server
agree. that's where your goal and the implementation goal of the feature differ. The request to not store credentials of managed servers is valid of course and we count your request +1 
Who is online
Users browsing this forum: cpfleger, Mildur, Semrush [Bot] and 86 guests