Pre-freeze and Post-thaw script credentials trouble

[Spex]

We use B&R 9.5 and do app aware processing and indexing for all of our vms. Credentials are set by tags and work so far.
Now we have to do some processing within some of our vm's since there is no vss support of the application. So I wrote a powershell script that does service control during backup (set manual/stop/set automatic/start or even restart on some servers). The script works if used locally but gives access denied if I start it within a backup job that has enough credentials for application processing. I found that the script was not running in the context of the application aware user, but in the context of the server itself (reported username was servername$ not system).
Why does veeam not use the credentials of the appaware user defined? If there are no privileges within the pre/post session its rather useless.

I like to avoid maintenance intensive solutions like
- prepare each vm to be ready for our script (define scheduled task or change rights for service)
- doing savecred (it only works under the account/machine it was created- so it has to be done on every vm for the account server$)

or security problematic solutions
- put credentials within the backupscript in cleartext

Also I do not see any documentation about this problem!

Is there any help?

[DGrinev]

Hi Stefan,

I found that the script was not running in the context of the application aware user, but in the context of the server itself (reported username was servername$ not system).

I will discuss this with the QA team tomorrow morning, why it was designed this way or maybe this is not expected behavior.

Can you try this approach pre-freeze\post-thaw scripts triggered by VMware tools?
You can enable it by following to Storage -> Advanced settings -> vSphere. Thanks!

[Spex]

Thanks for the links regarding vmtools integration of per/post jobs.
This approach has 2 other problems:
- VMtools quiescence cant be configured by tags (workaround is to use sourcetag like backup_20:00_with_quiescence and backup_20:00_without_quiescence) This doubles the number of jobs.
- we already tried to use VMtools quiescence all the time together with appaware (we prefer appaware) but this lead sometimes to ntfs errors (50,53) with lazy write problems. we do not see this errors using Appaware only.

[DGrinev]

Hi Stefan,

I have discussed the issue with the QA team and they took a pause for investigation.
Please can you contact our support team and share the case ID number here, so we will be able to track the issue. Thanks!

[Spex]

Case ID is #02198720.
Further testing showed no difference if using cmd or powershell, but disable UAC did solve the problem.
But disable UAC is not an option in our production environment...

[Vitaliy S.]

Further testing showed no difference if using cmd or powershell, but disable UAC did solve the problem.

UAC shouldn't have any affect on the behavior you described below. It doesn't matter if it is turned on or off, since the question was which credentials are used when executing scripts, right?

I found that the script was not running in the context of the application aware user, but in the context of the server itself (reported username was servername$ not system).

[Spex]

UAC has an effect - even on system. We put some diag code in our powershell script and get different results whether uac is on or off:

Powershell:
$wid=[System.Security.Principal.WindowsIdentity]::GetCurrent()
$prp=new-object System.Security.Principal.WindowsPrincipal($wid)
$adm=[System.Security.Principal.WindowsBuiltInRole]::Administrator
write-host "Admin?: " + $prp.IsInRole($adm)

Result:
UAC on : $false
UAC off + Reboot : $true

[Vitaliy S.]

UAC definitely has an impact, I was just referring to the fact that account selection does not depend on UAC.

[Spex]

From Veeam support:
Having checked the logs and similar cases unfortunately I have to confirm that it is a behavior by design.
We must use Administrator account or disable UAC to run scripts in VIX mode.
Deploying the guest components and running the scripts are being by performed by different parts of the code so it wouldn't be possible use the same approach with the scripts.

Conclusion:
- Currently you cannot use the same credentials for app-aware and pre/post thaw with the exception of "Administrator"
- That means that you even can't stop and start a windows service or write to %temp% from a pre/post thaw script (without some dirty tricks)

Request:
- We did a lot of efforts for having credentials in each guest for app-aware processing. So please use the same logic for pre/post thaw scripts. That will enable us to handle applications that are not app-aware (e.g. lotus domino, self written software,...) without reducing security (UAC off is no option) or doing a lot of individual scripting (PowerShell credential objects or altering security of services)