Pre-freeze and Post-thaw script credentials trouble

Discussions specific to VMware vSphere hypervisor

Pre-freeze and Post-thaw script credentials trouble

Veeam Logoby Spex » Wed Jun 21, 2017 11:30 am

We use B&R 9.5 and do app aware processing and indexing for all of our vms. Credentials are set by tags and work so far.
Now we have to do some processing within some of our vm's since there is no vss support of the application. So I wrote a powershell script that does service control during backup (set manual/stop/set automatic/start or even restart on some servers). The script works if used locally but gives access denied if I start it within a backup job that has enough credentials for application processing. I found that the script was not running in the context of the application aware user, but in the context of the server itself (reported username was servername$ not system).
Why does veeam not use the credentials of the appaware user defined? If there are no privileges within the pre/post session its rather useless.

I like to avoid maintenance intensive solutions like
- prepare each vm to be ready for our script (define scheduled task or change rights for service)
- doing savecred (it only works under the account/machine it was created- so it has to be done on every vm for the account server$)

or security problematic solutions
- put credentials within the backupscript in cleartext

Also I do not see any documentation about this problem!

Is there any help?
Spex
Enthusiast
 
Posts: 28
Liked: 1 time
Joined: Wed May 09, 2012 12:52 pm
Full Name: Stefan Holzwarth

Re: Pre-freeze and Post-thaw script credentials trouble

Veeam Logoby DGrinev » Wed Jun 21, 2017 5:13 pm

Hi Stefan,

Spex wrote:I found that the script was not running in the context of the application aware user, but in the context of the server itself (reported username was servername$ not system).

I will discuss this with the QA team tomorrow morning, why it was designed this way or maybe this is not expected behavior.

Can you try this approach pre-freeze\post-thaw scripts triggered by VMware tools?
You can enable it by following to Storage -> Advanced settings -> vSphere. Thanks!
DGrinev
Veeam Software
 
Posts: 673
Liked: 73 times
Joined: Thu Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev

Re: Pre-freeze and Post-thaw script credentials trouble

Veeam Logoby Spex » Thu Jun 22, 2017 7:58 am

Thanks for the links regarding vmtools integration of per/post jobs.
This approach has 2 other problems:
- VMtools quiescence cant be configured by tags (workaround is to use sourcetag like backup_20:00_with_quiescence and backup_20:00_without_quiescence) This doubles the number of jobs.
- we already tried to use VMtools quiescence all the time together with appaware (we prefer appaware) but this lead sometimes to ntfs errors (50,53) with lazy write problems. we do not see this errors using Appaware only.
Spex
Enthusiast
 
Posts: 28
Liked: 1 time
Joined: Wed May 09, 2012 12:52 pm
Full Name: Stefan Holzwarth

Re: Pre-freeze and Post-thaw script credentials trouble

Veeam Logoby DGrinev » Fri Jun 23, 2017 12:31 pm

Hi Stefan,

I have discussed the issue with the QA team and they took a pause for investigation.
Please can you contact our support team and share the case ID number here, so we will be able to track the issue. Thanks!
DGrinev
Veeam Software
 
Posts: 673
Liked: 73 times
Joined: Thu Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev

Re: Pre-freeze and Post-thaw script credentials trouble

Veeam Logoby Spex » Fri Jun 23, 2017 1:05 pm

Case ID is #02198720.
Further testing showed no difference if using cmd or powershell, but disable UAC did solve the problem.
But disable UAC is not an option in our production environment...
Spex
Enthusiast
 
Posts: 28
Liked: 1 time
Joined: Wed May 09, 2012 12:52 pm
Full Name: Stefan Holzwarth

Re: Pre-freeze and Post-thaw script credentials trouble

Veeam Logoby Vitaliy S. » Mon Jun 26, 2017 2:40 pm

Spex wrote:Further testing showed no difference if using cmd or powershell, but disable UAC did solve the problem.

UAC shouldn't have any affect on the behavior you described below. It doesn't matter if it is turned on or off, since the question was which credentials are used when executing scripts, right?
Spex wrote: I found that the script was not running in the context of the application aware user, but in the context of the server itself (reported username was servername$ not system).
Vitaliy S.
Veeam Software
 
Posts: 20098
Liked: 1158 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: Pre-freeze and Post-thaw script credentials trouble

Veeam Logoby Spex » Tue Jun 27, 2017 11:23 am

UAC has an effect - even on system. We put some diag code in our powershell script and get different results whether uac is on or off:

Powershell:
$wid=[System.Security.Principal.WindowsIdentity]::GetCurrent()
$prp=new-object System.Security.Principal.WindowsPrincipal($wid)
$adm=[System.Security.Principal.WindowsBuiltInRole]::Administrator
write-host "Admin?: " + $prp.IsInRole($adm)

Result:
UAC on : $false
UAC off + Reboot : $true
Spex
Enthusiast
 
Posts: 28
Liked: 1 time
Joined: Wed May 09, 2012 12:52 pm
Full Name: Stefan Holzwarth

Re: Pre-freeze and Post-thaw script credentials trouble

Veeam Logoby Vitaliy S. » Tue Jun 27, 2017 12:07 pm

UAC definitely has an impact, I was just referring to the fact that account selection does not depend on UAC.
Vitaliy S.
Veeam Software
 
Posts: 20098
Liked: 1158 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: Pre-freeze and Post-thaw script credentials trouble

Veeam Logoby Spex » Tue Jul 25, 2017 7:29 am

From Veeam support:
Having checked the logs and similar cases unfortunately I have to confirm that it is a behavior by design.
We must use Administrator account or disable UAC to run scripts in VIX mode.
Deploying the guest components and running the scripts are being by performed by different parts of the code so it wouldn't be possible use the same approach with the scripts.

Conclusion:
- Currently you cannot use the same credentials for app-aware and pre/post thaw with the exception of "Administrator"
- That means that you even can't stop and start a windows service or write to %temp% from a pre/post thaw script (without some dirty tricks)

Request:
- We did a lot of efforts for having credentials in each guest for app-aware processing. So please use the same logic for pre/post thaw scripts. That will enable us to handle applications that are not app-aware (e.g. lotus domino, self written software,...) without reducing security (UAC off is no option) or doing a lot of individual scripting (PowerShell credential objects or altering security of services)
Spex
Enthusiast
 
Posts: 28
Liked: 1 time
Joined: Wed May 09, 2012 12:52 pm
Full Name: Stefan Holzwarth


Return to VMware vSphere



Who is online

Users browsing this forum: Google [Bot] and 1 guest