• EN

RPC function call failed with NTLM disabled

P

I wanted to share this just incase it helps someone else. I was getting the following errors in Veeam B&R Community Edition 12.0.0.1420 when trying to add/rescan one of my eight Hyper-V hosts. These started occuring when moving towards a full block on NTLM in our environment.

  • Disks and volumes discovery failed Error: A security package specific error occurred. RPC function call failed. Function name: [GetSvcVersion]. Target machine:
  • Network path not found or invalid credentials supplied.

I verified DNS was good, disabled firewalls, enabled NetBIOS over TCP/IP, among other things. None of these helped.

What ended up fixing this, was enabling the “This account supports Kerberos 128/256 bit encryption” on our Active Directory user that services Veeam. I’m not sure why they other hosts were fine, but this fixed the final one and should have been done anyways.

4 comments

dips
Userlevel 7
Badge +7

Thanks for sharing @PizzaFist55 

Sounds like it could be related to work Microsoft is doing to harden Kerberos https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2023 | www.dipen.co.uk
coolsport00
Userlevel 7
Badge +17

Interesting fix. What led you to that setting being the culprit @PizzaFist55 ?

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
P

This is definitely due to the Microsoft hardening of Kerberos/NTLM. NTLM auditing was enabled and showed Veeam was still using it. If I blocked NTLM, Veeam would have issue, if I allowed it, all was well. I thought that after updating the domain controller and updating to Veeam 12, the Kerberos authentication would work automatically. The Windows updates don’t automatically update existing AD user objects though.

With DES / RC4 being blocked while NTLM was denied, Veeam would try to authenticate via Kerberos, but fail since AES was not allowed. I forgot to mention the Windows server also had this error: 10028 -   
DCOM was unable to communicate with the computer xxx using any of the configured protocols; requested by PID xxx (...Veeam.Backup.Satellite.exe).

coolsport00
Userlevel 7
Badge +17

Appreciate the additional info @PizzaFist55 

Cheers!

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00

Comment


Terms & Conditions