Starting from version 9.5 Update 4, Veeam Backup & Replication supports Kerberos authentication for guest OS processing of VMware vSphere VMs. However NTLM authentication is still required for communication between Veeam backup infrastructure servers (backup server, backup proxies, backup repositories, guest interaction proxies, log shipping servers, mount servers).
To back up or replicate VMware vSphere VMs where Kerberos is used, you must make sure that NTLM traffic is allowed in Veeam backup infrastructure machines. To do this, you must configure Active Directory group policies as shown below or in a similar way.
Configuring Active Directory Group Policies
If you want to back up or replicate VMs where Kerberos protocol is used, you must make sure that NTLM traffic is allowed in the Veeam backup infrastructure machines. You can add all Veeam infrastructure servers to a separate Active Directory organizational unit and create a GPO that allows NTLM traffic for this unit.
To allow NTLM traffic in Veeam infrastructure servers, do the following:
- On the domain controller server or management workstation, open the Active Directory Users and Computers MMC snap-in.
- Create a new Active Directory organizational unit and move all Veeam infrastructure servers to the organizational unit.
- Open Group Policy Management and create a new GPO for the organizational unit with Veeam infrastructure servers.
- Right-click the created GPO and select Edit.
- In the infrastructure tree of the Group Policy Management Editor interface, go to Policies/Windows Settings/Security Settings/Local Policies/Security Options.
- In the Security Options folder, go to properties of the following two policies and change the policy setting to Allow all:
- Network Security: Restrict NTLM: Incoming NTLM traffic
- Network Security: Restrict NTLM: Outgoing traffic to remote servers
After you configure group policies for NTLM traffic, Veeam backup infrastructure servers will be able to authenticate to each other using NTLM, while the servers will use Kerberos to authenticate to guest OS of VMs.