Veeam B&R Remote Console w/ Smart Card (not working)

[Mgamerz]

I am part of the US federal government and today a new policy in our bureau was activated that forces all administrative accounts that logon interactively to use smart card authentication (so any logon with that account). It used to be all interactive windows logons had to be done through smart card. I honestly cannot tell you the specifics as I am not sure of them, but there were ways for us to not always have to use our smart card for using our network admin accounts, which was closed today. Previously I could put in my username and password for my network admin account and it would work - only main logon and elevation seemed to require it.

Since this loophole has now been closed, the remote console for veeam has stopped working. It cannot connect to the server with my network admin account. Here's what happens:

1. I run Veeam B&R console on my local workstation. It asks for elevation with UAC, and I give it my PIN and network admin account username hint with my card. It accepts this as an administrative account and elevates the veeam logon shell.
2. Veeam connection window pops up. I check the Use windows session authentication box and click connect. It spins for a few seconds before giving me Failed to connect to Veeam Backup & Replication server: The logon attempt failed. This is what I have seen since I've always started using Veeam. So what I would do is uncheck this box...
3. Put in my network admin account and password into the fields and press connect. This previously worked, but since there is now smart card enforcement to use this account at all, I cannot use it anymore. It throws a new error message: Failed to connect to Veeam Backup & Replication server: Smartcard logon is required and was not used

So effectively I cannot use my network admin account (that I use to do most of my administrative work) to use veeam anymore. I knew it would break it, but until it happened I didn't put in any info on it here. It would be nice if there was some way this could be fixed in a future update. I can probably use the local admin account on the server (as these are not requiring a smart card) but our agency is really cracking down on things like this and I think a proper fix would be useful. I know many other people (including the people who recommended me veeam) can no longer use the remote console in our bureau, and since we are one of the last ones to do it, I assume it also includes our agency.

I would include images but imgur's uploader javascript is currently busted. I was sent a link to an existing topic for smartcards (https://forums.veeam.com/veeam-backup-r ... 45273.html) however this is running the backup job with a smartcard where I just want to use the remote console. Veeam works fine if I run it directly on the server through RDP (logging on as my admin).

I called into veeam earlier, case # is 03066397.

[Gostev]

Hello, I talked to the R&D leaders - understanding that remote troubleshooting over the webex is probably not an option due to your organization being a part of the US federal government, they want to get some information on what Smart Card system you have deployed in order to acquire one for our own test lab. They will work with our federal support folks to get the required information from you. Thanks!

[Mgamerz]

Cool, thanks Gostev. I got email on the ticket saying it was escalated. I will send in the docs.

Since I am a civilian agency we are fine to have remote control sessions as long as an IT staff member is present. In fact I used webex with veeam on the initial call to show what the issue was.

Thanks,
Mgamerz

[ewheat]

I too am having this problem as we are forced to use our smart card with administrator privileges.

[Mgamerz]

Just to update those watching the thread, this is currently being investigated by veeam on my ticket. I'll post updates as I learn more.

[Mgamerz]

Not sure why but this magically started working for me this morning. I was on a call with another user in my bureau, who was having the same issues due to the new smart card enforcement... and when they tried to show me how to do a workaround, it just worked instead. I rebooted my system and it's working again even with our smart cards. Checking the settings in ADAC it still shows smart card logon is enforced. Our AD team doesn't know of any changes in the past day or two, so I assume our agency we are part of is fooling around with something and not telling us.

I don't know if this is a permanent fix or just a temporary one though.

[Gostev]

Interesting... guess I should change T to W in "not" of the topic name?

[Mgamerz]

Wish I knew what happened. Everyone I have talked to said the higher ups haven't made any changes... I know for a fact my card hasn't worked for veeam logon since I started because I originally tried to use it. Then I just started using username/password and it was fine.

I'll reply to this if it breaks again. Thanks Gostev!

[Gostev]

For what it's worth, we have deployed and tested virtual smart cards and found no issues with the console.