Veeam Backup & Replication 10
User Guide for VMware vSphere
Related documents

Kerberos Authentication for Guest OS Processing

Starting from version 9.5 Update 4, Veeam Backup & Replication supports Kerberos authentication for guest OS processing of VMware vSphere VMs. However NTLM authentication is still required for communication between Veeam backup infrastructure servers (backup server, backup proxies, backup repositories, guest interaction proxies, log shipping servers, mount servers).

To back up or replicate VMware vSphere VMs where Kerberos is used, you must make sure that NTLM traffic is allowed in Veeam backup infrastructure machines. To do this, you must configure Active Directory group policies as shown below or in a similar way.

Configuring Active Directory Group Policies

If you want to back up or replicate VMs where Kerberos protocol is used, you must make sure that NTLM traffic is allowed in the Veeam backup infrastructure machines. You can add all Veeam infrastructure servers to a separate Active Directory organizational unit and create a GPO that allows NTLM traffic for this unit.

To allow NTLM traffic in Veeam infrastructure servers, do the following:

  1. On the domain controller server or management workstation, open the Active Directory Users and Computers MMC snap-in.
  2. Create a new Active Directory organizational unit and move all Veeam infrastructure servers to the organizational unit.

Kerberos Authentication for Guest OS Processing 

  1. Open Group Policy Management and create a new GPO for the organizational unit with Veeam infrastructure servers.

Kerberos Authentication for Guest OS Processing 

  1. Right-click the created GPO and select Edit.
  2. In the infrastructure tree of the Group Policy Management Editor interface, go to Policies/Windows Settings/Security Settings/Local Policies/Security Options.

Kerberos Authentication for Guest OS Processing 

  1. In the Security Options folder, go to properties of the following two policies and change the policy setting to Allow all:
    • Network Security: Restrict NTLM: Incoming NTLM traffic
    • Network Security: Restrict NTLM: Outgoing traffic to remote servers

Kerberos Authentication for Guest OS Processing 

After you configure group policies for NTLM traffic, Veeam backup infrastructure servers will be able to authenticate to each other using NTLM, while the servers will use Kerberos to authenticate to guest OS of VMs.

Related Topics

Guest Processing Settings

This Document Help Center
User Guide for VMware vSphereUser Guide for Microsoft Hyper-VVeeam Backup Enterprise Manager GuideVeeam Agent Management GuideVeeam Cloud Connect GuideVeeam Explorers User GuideVeeam Plug-ins for Enterprise Applications GuideVeeam PowerShell ReferenceVeeam Explorers PowerShell ReferenceVeeam RESTful API ReferenceRequired Permissions for VMware vSphereQuick Start Guide for VMware vSphereQuick Start Guide for Microsoft Hyper-VVeeam ONE DocumentationVeeam Agent for Windows DocumentationVeeam Agent for Linux DocumentationVeeam Backup for AWS DocumentationVeeam Backup for Microsoft Azure DocumentationVeeam Backup for Nutanix AHV User GuideVeeam Backup for Microsoft Office 365 DocumentationVeeam Management Pack Documentation
I want to report a typo

There is a misspelling right here:

 

I want to let the Veeam Documentation Team know about that.