Veeam Backup & Replication 9.5 Update 4 [Archived]
User Guide for VMware vSphere
Related documents
Search
This is an archive version of the document. To get the most up-to-date information, see the current version.

Kerberos Authentication for Guest OS Processing

Starting from version 9.5 Update 4, Veeam Backup & Replication supports Kerberos authentication for guest OS processing of VMware vSphere VMs. However NTLM authentication is still required for communication between Veeam backup infrastructure servers (backup server, backup proxies, backup repositories, guest interaction proxies, log shipping servers, mount servers).

To back up or replicate VMware vSphere VMs where Kerberos is used, you must make sure that NTLM traffic is allowed in Veeam backup infrastructure machines. To do this, you must configure Active Directory group policies as shown below or in a similar way.

Configuring Active Directory Group Policies

If you want to back up or replicate VMs where Kerberos protocol is used, you must make sure that NTLM traffic is allowed in the Veeam backup infrastructure machines. You can add all Veeam infrastructure servers to a separate Active Directory organizational unit and create a GPO that allows NTLM traffic for this unit.

To allow NTLM traffic in Veeam infrastructure servers, do the following:

  1. On the domain controller server or management workstation, open the Active Directory Users and Computers MMC snap-in.
  2. Create a new Active Directory organizational unit and move all Veeam infrastructure servers to the organizational unit.

Kerberos Authentication for Guest OS Processing 

  1. Open Group Policy Management and create a new GPO for the organizational unit with Veeam infrastructure servers.

Kerberos Authentication for Guest OS Processing 

  1. Right-click the created GPO and select Edit.
  2. In the infrastructure tree of the Group Policy Management Editor interface, go to Policies/Windows Settings/Security Settings/Local Policies/Security Options.

Kerberos Authentication for Guest OS Processing 

  1. In the Security Options folder, go to properties of the following two policies and change the policy setting to Allow all:
    • Network Security: Restrict NTLM: Incoming NTLM traffic
    • Network Security: Restrict NTLM: Outgoing traffic to remote servers

Kerberos Authentication for Guest OS Processing 

After you configure group policies for NTLM traffic, Veeam backup infrastructure servers will be able to authenticate to each other using NTLM, while the servers will use Kerberos to authenticate to guest OS of VMs.

Related Topics

Guest Processing Settings

View all results across Veeam
Back to document search