Help Center
Choose product document...
Veeam Backup & Replication 9.5 Update 4
User Guide for VMware vSphere

Kerberos Authentication for Guest OS Processing

Starting from version 9.5 Update 4, Veeam Backup & Replication supports Kerberos authentication for guest OS processing of VMware vSphere VMs. However NTLM authentication is still required for communication between Veeam backup infrastructure servers (backup server, backup proxies, backup repositories, guest interaction proxies, log shipping servers, mount servers).

To back up or replicate VMware vSphere VMs where Kerberos is used, you must make sure that NTLM traffic is allowed in Veeam backup infrastructure machines. To do this, you must configure Active Directory group policies as shown below or in a similar way.

Configuring Active Directory Group Policies

If you want to back up or replicate VMs where Kerberos protocol is used, you must make sure that NTLM traffic is allowed in the Veeam backup infrastructure machines. You can add all Veeam infrastructure servers to a separate Active Directory organizational unit and create a GPO that allows NTLM traffic for this unit.

To allow NTLM traffic in Veeam infrastructure servers, do the following:

  1. On the domain controller server or management workstation, open the Active Directory Users and Computers MMC snap-in.
  2. Create a new Active Directory organizational unit and move all Veeam infrastructure servers to the organizational unit.

Kerberos Authentication for Guest OS Processing 

  1. Open Group Policy Management and create a new GPO for the organizational unit with Veeam infrastructure servers.

Kerberos Authentication for Guest OS Processing 

  1. Right-click the created GPO and select Edit.
  2. In the infrastructure tree of the Group Policy Management Editor interface, go to Policies/Windows Settings/Security Settings/Local Policies/Security Options.

Kerberos Authentication for Guest OS Processing 

  1. In the Security Options folder, go to properties of the following two policies and change the policy setting to Allow all:
  • Network Security: Restrict NTLM: Incoming NTLM traffic
  • Network Security: Restrict NTLM: Outgoing traffic to remote servers

Kerberos Authentication for Guest OS Processing 

After you configure group policies for NTLM traffic, Veeam backup infrastructure servers will be able to authenticate to each other using NTLM, while the servers will use Kerberos to authenticate to guest OS of VMs.

Related Topics

Guest Processing Settings

Veeam Large Logo

User Guide for VMware vSphere

User Guide for Microsoft Hyper-V

Enterprise Manager User Guide

Veeam Cloud Connect Guide

Veeam Agent Management Guide

Veeam Explorers User Guide

Backup and Restore of SQL Server Databases

Veeam Plug-ins for Enterprise Applications

PowerShell Reference

Veeam Explorers PowerShell Reference

RESTful API Reference

Required Permissions Reference

Veeam Availability for Nutanix AHV

Veeam Backup for Microsoft Office 365 Documentation

Veeam ONE Documentation

Veeam Agent for Windows Documentation

Veeam Agent for Linux Documentation

Veeam Management Pack Documentation

Quick Start Guide for VMware vSphere

Quick Start Guide for Hyper-V