• EN

Service Provider Console Management Agent Access to VBR with MFA Enabled

  • 25 January 2024
  • 2 comments
  • 61 views
dloseke
Userlevel 7
Badge +6

I have a newer client that I recently deployed VBR for that is managed by our Service Provider Console.  At some point in time I stopped getting reports from VBR in the SPC.  The Management Agent was talking to the SPC, but I was getting no information from VBR.  After opening a case with support and uploading logs (kudo’s to the Veeam team for making it so easy to create cases and upload logs within the SPC), support noted the below error found in the logs.

 

2024-01-22 22:00:19.9095 [ERROR ] 5684 [__21] BackupServerDiscovery: Exception thrown in method CollectBackupServerFromWMISafe from BackupServerDiscovery Exception: System.Management.ManagementException: Access denied2024-01-22 22:00:19.9095 [ERROR ] 5684 [__21] BackupServerDiscovery: Exception thrown in method CollectBackupServerFromWMISafe from BackupServerDiscovery Exception: System.Management.ManagementException: Access denied

 

Support listed two possible fixes, the first of which is making sure the Service Provider entry is set to allow the Service Provider to manage the VBR installation.  Check!

Service Provider Wizard showing the checkbox “Allow this Veeam Backup & Replication installation to be managed by the service provider” as checked.

 

The second fix is related to MFA, and as you would know, this is the first time I’ve enabled MFA within VBR.  If you have MFA enabled, but the agent is running with an account that hasn’t been configured as a service account in the VBR Users, it will deny access.  There are two fixes as outlined in KB 4431.  The first of these are to create a new admin account, or use an existing account with local admin rights, set the Management Agent service to use this account and add said account to the Users list with as a service account to bypass MFA.  The second option is to set the Local System account which the management agent was using by default as a service account, again bypassing MFA.

I chose option one (the recommended solution) and created a new local admin account for the service to use.  When submitting the credentials to the Management Agent, it automatically granted “Log on as a Service” rights to the admin account and fired right up, connected, and began reporting VBR items to my Service Provider Console.  Success!  Kudo’s to support for a very quick resolution.

 

New Local Admin Service Account created in Windows (non-domain joined VBR server)

 

Veeam Management Agent logging on as Local System by default

 

Veeam Management Agent Service set to log on with new Local Admin service account

 

Veeam Users with agent service user account set as a service to bypass MFA

 

Derek M. Loseke, Senior Systems Engineer | Veeam Legend 2022-2023 | VMSP/VMTSP | VCP6-DCV | VSP/VTSP | CCNA | https://technotesanddadjokes.com | @dloseke

2 comments

coolsport00
Userlevel 7
Badge +17

Glad you got this resolved Derek. Thank you for sharing the solution! 

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
Chris.Childerhose
Userlevel 7
Badge +20

Yeah, I have noticed some nuances with MFA especially with VSPC since we are using it more heavily now.  I will keep this in mind when we upgrade to 12.1 as we are doing a couple other things one being Roles/MFA changes.  👍🏼

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech

Comment


Terms & Conditions