Kerberos Authentication for Storage Systems

This section lists requirements, limitations and peculiarities in work of storage systems that use Kerberos authentication.

General Requirements and Limitations

For management connection:

  • Kerberos authentication is supported for the following storage systems: Dell Unity XT/Unity, Dell VNX block storage, HPE 3PAR StoreServ, HPE Primera, HPE Alletra 9000, HPE Nimble, HPE Alletra 6000, HPE Alletra 5000, Pure Storage FlashArray, INFINIDAT InfiniBox F Series, Dell SC Series, Dell PowerStore, Dell PowerMax, Hitachi VSP, HPE XP, NetApp ONTAP, Lenovo DM Series, NetApp Element, Tintri IntelliFlash.
  • Storage systems that use SSH are not supported.

[For VMware integration] For data connections, that is, usage during backup and restore:

  • Storage systems with NFS 4.1 connectivity are supported: NetApp ONTAP, Dell Unity XT/Unity, Tintri.
  • The following Kerberos protocols are supported: krb5, krb5i and krb5p.
  • [For NetApp ONTAP] The Create required export rules automatically option must be disabled.

User Name Formats

When adding storage systems that use Kerberos, specify user names in the following formats:

  • Dell PowerStore: domain\username, username@domain
  • Dell SC Series: username, domain\username, username@domain
  • Dell Unity XT/Unity: username@domain
  • Dell VNX block storage: username
  • Hitachi VSP: username
  • HPE 3PAR StoreServ, HPE Primera, HPE Alletra 9000: username
  • HPE Nimble, HPE Alletra 6000, HPE Alletra 5000: username, domain\username, username@domain
  • HPE XP: username
  • INFINIDAT InfiniBox F Series: username
  • NetApp Element: username
  • NetApp ONTAP, Lenovo DM Series: domain\username
  • Pure Storage FlashArray: username
  • Tintri IntelliFlash: username, domain\username, username@domain

Backup and Rescan (VMware integration)

Which protocol Veeam Backup & Replication tries to use during backup and storage rescan depends on the type of the used backup proxy.

  • If a Microsoft Windows-based proxy is used, Veeam Backup & Replication first tries to connect without Kerberos at first. If the connection fails, Veeam Backup & Replication tries to connect using Kerberos protocols in the following order: krb5p, krb5i, krb5.

You can change the order using a registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\NFSKerberosEncryptionLevel (DWORD}.

The values can be the following:

  • 0 — non-Kerberos -> krb5p -> krb5i -> krb5 (default value);
  • 1 — krb5 -> non-Kerberos -> krb5p -> krb5i;
  • 2 — krb5i -> non-Kerberos -> krb5p -> krb5;
  • 3 — krb5p -> non-Kerberos -> krb5i -> krb5.
  • If a Linux-based proxy is used, the used protocol depends on how the mount command is implemented in the used Linux distributive.

You can specify the order using a registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\SanNfsLinuxMountOptions {REG_MULTI_SZ}.

This registry value allows you to override Linux proxy mount settings for Backup from Storage Snapshots and storage NFS rescan. You need to specify NFS share path, semicolon and the list of mount parameters separated by commas. In the NFS share path, you can use wildcards: * to represent any number of letters, and ? for a single letter. For example, 172.24.24.*;rw,soft,vers=4.1,timeo=300,retrans=10,sec=krb5.

Restore (VMware integration)

During restore from a storage snapshot, Veeam Backup & Replication creates an NFS datastore using non-Kerberos protocol. If the connection fails, Veeam Backup & Replication tries to use Kerberos protocols in the following order: krb5, krb5i.

You can change the protocol using a registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\SanRestoreNfsKerberosEncryptionLevel (DWORD}.

The values can be the following:

  • 0 — non-Kerberos -> krb5 -> krb5i (default value);
  • 1 — non-Kerberos;
  • 2 — krb5;
  • 3 — krb5i.