V13.0.1 Windows can't login to consoles

[DaStivi]

Hello,
I just upgraded a VBR 12 environment to version 13.0.1 and now I’m unable to log in to any console (including the new web console).
I’m seeing multiple errors:

Failed to sign in: unknown error.
When using “Sign in as current user”, it fails with:
Unexpected status code from SPNEGO request: 500

Additionally, in the Svc.Identity.log, I’m seeing several “Access denied” entries.

Code: Select all

[20.11.2025 11:58:05.262]    <37>   Error (1)    Veeam.Backup.Identity.Server.InteractiveLoginService [TraceId: '800000c4-0001-f600-b63f-84710c7967bb'] Unexpected error occured
[20.11.2025 11:58:05.262]    <37>   Error (1)    System.ComponentModel.Win32Exception (5): Zugriff verweigert
[20.11.2025 11:58:05.262]    <37>   Error (1)       at Veeam.SystemApi.Users.AuthZ.UserContextHandle.Initialize(SecurityIdentifierHandle sidHandle, ResourceManagerHandle resourceManagerHandle)
[20.11.2025 11:58:05.262]    <37>   Error (1)       at Veeam.SystemApi.Users.AuthZ.AuthZFacade.GetUserSecurityGroupSids(SecurityIdentifier userSid)
[20.11.2025 11:58:05.262]    <37>   Error (1)       at Veeam.Backup.IdentityService.Shared.CDomainUserAccount.GetGroupSecurityIdentifiersByPlatform()
[20.11.2025 11:58:05.262]    <37>   Error (1)       at Veeam.Backup.IdentityService.Shared.CDomainUserAccount.GetCurrentSecurityGroups()
[20.11.2025 11:58:05.262]    <37>   Error (1)       at Veeam.Backup.IdentityService.Shared.SSystemAccountExtensions.GetUserGroupIds(ISystemAccount account)
[20.11.2025 11:58:05.262]    <37>   Error (1)       at Veeam.Backup.IdentityService.Shared.SSystemAccountExtensions.ToOsIdentity(ISystemAccount account)
[20.11.2025 11:58:05.262]    <37>   Error (1)       at Veeam.Backup.IdentityService.Shared.CWindowsCredentialsAuthenticator.Authenticate(String username, String password)
[20.11.2025 11:58:05.262]    <37>   Error (1)       at Veeam.Backup.IdentityService.Shared.CWindowsCredentialsAuthenticator.AuthenticateAsync(String username, String password)
[20.11.2025 11:58:05.262]    <37>   Error (1)       at Veeam.Backup.Identity.Server.InteractiveLoginService.LoginWithCredentialsAsync(InteractiveLoginContext loginContext, InteractiveLoginParameters loginParameters, String username, String password)
[20.11.2025 11:58:05.263]    <37>   Error (1)    Veeam.Backup.IdentityService.Pages.Login [TraceId: '800000c4-0001-f600-b63f-84710c7967bb'] Failed to perform login operation: Failed to sign in: unknown error.

in the svc.veeambackup.log i see some error with localsystem error:

Code: Select all

[20.11.2025 12:01:21.429]   <105> Warning (2)    Could not resolve user 'NT-AUTORITÄT\SYSTEM' system identifier
[20.11.2025 12:01:21.429]   <105> Warning (2)    Failed to resolve identifier for user name NT-AUTORITÄT\SYSTEM (System.ArgumentException)
[20.11.2025 12:01:21.429]   <105> Warning (2)       at Veeam.Backup.Common.SSystemIdentifierFactory.Resolve(CUserName userName, IdentifierResolveTargetType targetType)
[20.11.2025 12:01:21.429]   <105> Warning (2)       at Veeam.Backup.Common.SSystemIdentifierFactory.ResolveOrNull(CUserName userName, IdentifierResolveTargetType targetType)

I changed the Veeam services from running under LocalSystem to a dedicated service account, but this did not resolve the issue.

In the Windows Security Event Log, I also see authentication errors that seem related to Kerberos.

For context, the Microsoft Server Security Baseline is applied on this system.

I attempted a full uninstall of VBR and a clean reinstall (with the intention to restore the configuration database), but even after a fresh installation, I still couldn’t log in with my personal account.

Interestingly, when I tried using the Domain Admin (SID500) account, I was able to sign in successfully.
I compared my personal admin account with the domain admin account and found no differences in AD settings or attributes—no special groups, restrictions, or membership in the Protected Users group.

However, using the domain admin (SID500) on the existing installation also fails because only a small set of accounts with MFA enabled are authorized for VBR management.

Case #07893487

[Dima P.]

Hello Stephan,

Thank you for the details and support case ID. Investigating, stay tuned!

[DaStivi]

When I set the SID500 domain admin account as the Service Logon User, I was able to log in to the consoles again with my personal account.

However, after adding the SID500 admin (and set it as Service account to bypass MFA) and then reverting the Logon Account back to LocalSystem followed by restarting the services, I can no longer log in with my personal account.

but now i can login with the sid500 Domain Admin....

interestingly the Jobs were running successfully !

[mikame]

I did in "homelab" an upgrade from latest 12 to 13, windows, community edition, local admin as regular user, had MFA on, didn't create any user in vbr before. I also had MS Server Security baseline in this one. After upgrading can't login to console, tried "sign in as current user" it will open a window dialog to asking credentials (URL is https://localhost). I tried the same on Edge browser, same end result, so now I can't login at all. I accepted and installed the offered cert to local computer "trusted root certs" but no affect. Since this is a home system I can wait a week or two if something comes up as a fix.

[mikame]

svc.identity.log

Code: Select all

[21.11.2025 13:31:07.042]    <34> Warning (2)    Veeam.Backup.IdentityService.CVbrResourceAuthorizer [TraceId: '80000012-0003-f600-b63f-84710c7967bb'] No valid roles found for the identity 'NT AUTHORITY\SYSTEM'. Identity is unauthorized
[21.11.2025 13:31:07.042]    <34> Warning (2)    Veeam.Backup.Identity.Server.AuthorizationProvider [TraceId: '80000012-0003-f600-b63f-84710c7967bb'] Identity hasn't been authorized by resource authorizer
[21.11.2025 13:31:07.042]    <34>   Error (1)    Veeam.Backup.Identity.Server.TokenEndpoint [TraceId: '80000012-0003-f600-b63f-84710c7967bb'] Client is not authorized for the resource
[21.11.2025 13:31:07.042]    <34>    Info (3)    Microsoft.AspNetCore.Http.Result.JsonResult [TraceId: '80000012-0003-f600-b63f-84710c7967bb'] Setting HTTP status code 401.
[21.11.2025 13:31:07.042]    <34>    Info (3)    Microsoft.AspNetCore.Http.Result.JsonResult [TraceId: '80000012-0003-f600-b63f-84710c7967bb'] Writing value of type 'ErrorTokenResponse' as Json.
[21.11.2025 13:31:07.043]    <34>    Info (3)    Microsoft.AspNetCore.Hosting.Diagnostics Request finished HTTP/1.1 POST http://localhost:9299/oauth/token - 401 - application/json;+charset=utf-8 21.5199ms
[21.11.2025 13:31:07.052]    <51>    Info (3)    Microsoft.AspNetCore.Hosting.Diagnostics Request starting HTTP/1.1 POST http://localhost:9299/oauth/gss - - 0

Anyways, no need to investigate, I will follow if others will have the same. If not, i will just do fresh install.

[DaStivi]

If you’re unable to log in to the VBR console, try the following steps:

Sign in using "The Domain Administrator" (SID500)
Logging in with the built-in Domain Admin account should work.

If you changed the default login settings and “local administrators” arent allowed anymore for login, you first need to change the service account (the one running VBR services, get-service Veeam* | set-service -credentials (get-credential)) to the Domain Admin account. (run this in powershell 7, else you won't have the credentials parameter in the set-services)

you also need to edit the pg_ident.conf file, to allow the new service account, "administrator@domain.local" for DB access

After that, you should be able to log in with your personal admin account as well.

After successful login, You can either keep this configuration, or add the SID500 account (possibly "disable" MFA, mark it as serviceaccount in the vbr account mgmt), then switch the service account back to LocalSystem. After that, you can log in to the console using the Domain Admin account.

Additional Notes & Observations

What language is your VBR server set to?
I ran some additional tests:

Microsoft Defender: Disabling real-time protection and ASR rules did not resolve the issue.
Security Baseline:

On a freshly installed, non-domain-joined VBR server with a locally applied security baseline, the issue did not occur.
However, as soon as the VBR server is joined to the domain, the problem returns—even on a completely fresh installation.

[mikame]

all in english language, this VM was in domain, but I took it out some years ago, can't login with domain accounts anymore. This server have something off/wrong after I implemented the MS security baseline and took it off domain, this I do remember. This might be the real problem here.
I changed all Veeam services to local admin account just to try out, but the end result stays the same. pg_ident.conf had the right user there already. I will install new VM and and try to restore the database (well if possible since the backup was using SQL which came with Veeam installation).