Kerberos Authentication
Veeam Backup & Replication supports Kerberos authentication for all components of the backup infrastructure including Veeam Explorers, Veeam Agents, Veeam Plug-ins, and Veeam Backup Enterprise Manager. You can build the backup infrastructure in the following environments:
- Kerberos authentication is the primary domain authentication protocol, NTLM is supported for compatibility. This configuration is used by default starting from Microsoft Windows 2000 Server.
- Kerberos is the only domain authentication protocol, NTLM is disabled (more secure).
Note |
Kerberos authentication is supported only in Microsoft Active Directory-based environments. |
How Kerberos Works
Unlike NTLM, Kerberos uses Ticket Granting Tickets (TGT) issued by the Key Distribution Center (KDC). TGT files contain a session key, the key's expiration date, and a user's IP address. They are encrypted and have limited validity period (10 hours by default). This authentication mechanism protect users from man-in-the-middle (MITM) attacks.
Veeam Backup & Replication supports the standard Kerberos authentication scenario:
- A client sends a request to the KDC, which is located on a domain controller and uses Microsoft Active Directory as the account database. The request contains user details and information about the Veeam service the client wants to access.
- The KDC verifies the client's request and issues a TGT.
- The client uses the TGT to send a request to the KDC Ticket Granting Service (TGS) and get a TGS ticket. The request also contains the Service Principal Name (SPN) of the service.
- The client uses the TGS ticket to send a request to the server.
- The server verifies the client's request and provides access to the service for a limited period specified in the Kerberos configuration.
For more information about Kerberos authentication, see this Microsoft article.
Requirements and Limitations
Kerberos authentication has the following requirements and limitations:
- The client and the server must belong to the same domain, or a trust relationship must exist between domains.
- All backup infrastructure components must be added to the Veeam Backup & Replication console using FQDN.
- Veeam backup infrastructure servers must resolve FQDNs.
- FQDN must be used when connecting to the remote Veeam Backup & Replication console.
- The hostname length for all Windows-based backup infrastructure components and VM guest OSes must not exceed 15 characters.
- The maximum time difference between the client and the domain controller must be 5 minutes to protect the backup infrastructure from relay attacks.
- NFS is supported by Kerberos starting from version 4.1.
- For guest OS processing, consider the following:
- Local accounts do not support Kerberos authentication. To authenticate with Microsoft Windows guest OS using Kerberos, specify an Active Directory account.
- If you use networkless application-aware guest processing through PowerShell Direct, the guest OS must still have access to the domain controller. Otherwise, Kerberos authentication will not work.
For SPNs, consider the following aspects:
- Each Veeam service must have two SPNs registered with the Active Directory in the following formats:
- {ServiceName}/{FQDN}, for example, VeeamBackupSvc/vbrserver01.tech.local
- {ServiceName}/{NetBIOSName}, for example, VeeamBackupSvc/VBRSERVER01
- For the following services, SPNs are registered automatically each time they start:
- Veeam Backup Service (VeeamBackupSvc)
- Veeam Backup Enterprise Manager Service (VeeamEnterpriseManagerSvc)
- Veeam Cloud Connect Service (VeeamCloudConnectSvc)
- Veeam Cloud Gateway Service (VeeamGateSvc)
- Veeam CDP Coordinator Service (VeeamCdpSvc)
- Veeam CDP Proxy Service (VeeamCdpProxySvc)
- Veeam Guest Catalog Service (VeeamCatalogSvc)
- Veeam Distribution Service (VeeamDistributionSvc)
- Veeam Mount Service (VeeamMountSvc)
- Veeam Broker Service (VeeamBrokerSvc)
- Veeam Hyper-V Integration Service (VeeamHvIntegrationSvc)
- Veeam Data Mover Service (VeeamTransportSvc)
- Veeam WAN Accelerator Service (VeeamWANSvc)
- Veeam vPower NFS Service (VeeamNFSSvc)
- Veeam Backup VSS Integration Service (VeeamFilesysVssSvc)
- Veeam Installer Service (VeeamDeploySvc)
- Veeam Tape Service (VeeamTapeSvc)
- Veeam Log Shipping Service (VeeamLogShipperSvc)
- Veeam Agent for Microsoft Windows Service (VeeamAgentWindows)
- Veeam Guest Helper Service (VeeamGuestHelperSvc)
For services running under the LocalSystem account, SPNs are mapped to the Active Directory computer objects. For services, running under a dedicated Active Directory service account, SPNs are mapped to the Active Directory user objects.
Note that If for any reason the SPN registration fails, the service will continue working, but there may be authentication issues in Kerberos-only environments.
- If you want to register SPN manually, you can use the setspn tool. For more information about manual SPN registration, see this Microsoft article. To disable automatic SPN registration, contact Veeam Customer Support.
Note that Veeam Platform Services (AWS, Azure, Google Cloud) and Veeam Explorer Recovery Service do not need to be registered as they do not have SPNs.
- To communicate with Hyper-V clusters, Veeam Backup & Replication uses the default SPN format for Veeam Hyper-V Integration Service: {HOST}/{FQDN} as there may be issues with registering SPN VeeamHvIntegrationSvc/{FQDN} for a cluster account.
- If you want to use another account for running a Veeam service, you must manually remove the existing SPN from the Active Directory beforehand. Otherwise, the SPN registration with the new account will fail.
Important |
If you use persistent agents for guest OS processing and want to upgrade Veeam Backup & Replication to version 12, there may be issues with application-aware processing in a Kerberos-only environment. To mitigate risks, register SPNs for Guest Helper Service using the following format: {VeeamGuestHelperSvc}/{FQDN} and {VeeamGuestHelperSvc}/{NetBIOSName}. For more information, see this Veeam KB article. |
Configuring Kerberos Environments
If you use default Microsoft Windows configuration for Kerberos authentication with NTLM fallback, configure the Network security: LAN Manager Authentication Level security policy setting to send NTLMv2 responses only. For more information, see this Microsoft article.
Note |
Using NTLM increases the attack surface of your backup infrastructure. To build a more secure environment, disable NTLM and leave Kerberos the only domain authentication protocol. |
To configure a Kerberos-only environment, perform the following steps:
- Enable an NTLM audit. Start to collect and analyze NTLM audit events to determine which applications and services send NTLM requests. Reconfigure or update them to use Kerberos. If an application or service does not support Kerberos, replace it with an alternative one. For more information about auditing NTLM usage, see this Microsoft article.
- Enable Kerberos extended logging mode. By default, Veeam Backup & Replication saves logs only for failed SPN registrations. It is recommended to collect information about all SPN registrations during initial Veeam Backup & Replication deployment and NTLM audit troubleshooting. To enable extended logging for SPNs used for Kerberos authentication between backup infrastructure components, see this Veeam KB article.
- Restrict NTLM traffic. When all applications and services are configured to use Kerberos and there are no NTLM audit events, apply Network Security: Restrict NTLM Active Directory group policies to restrict NTLM traffic and authentication. You can also configure exclusions for specific hosts if they still require NTLM authentication to work properly. For more information about restricting NTLM usage, see this Microsoft article.
Note |
To prevent Kerberos environments from Kerberoasting attacks, do the following:
|