Does Kerberos authentication present challenges when trying to create backups? If so, how can those issues be addressed?
In most cases, Kerberos authentication does not cause problems for backup and recovery. The major backup vendors design their products in a way that takes Kerberos authentication into account; therefore the backup application does not burden the administrator with any Kerberos-related configuration issues. However, there are exceptions.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Kerberos authentication can occasionally become an issue when Windows systems are being backed up using a backup application that is running on a non-Windows server. For instance, there are Linux-based backup applications that require special configurations (related to Kerberos) if they are going to be backing up Windows servers.
There are two main reasons why Kerberos authentication can sometimes be an issue. First, some non-Windows systems include a Kerberos module that doesn't offer quite as much functionality as native Windows-based Kerberos does. This doesn't usually cause any problems as long as the administrator adheres to the system requirements and configures the software correctly.
The other reason why Kerberos can sometimes be problematic for backup and recovery operations has to do with trust. When a Windows Server needs to copy data to or from another Windows Server, the CredSSP protocol is often used. This protocol is certificate-based and doesn't usually require any special configuration. The problem is that CredSSP is only valid over a single hop.
Kerberos offers a higher degree of flexibility for operations that require multiple hops, but Constrained Delegation may need to be enabled. Constrained Delegation allows a Windows Server to perform certain tasks on behalf of another Windows Server, thereby making multi-hop operations possible. Constrained Delegation can be enabled through the Active Directory Users and Computers console by right clicking on the container representing a target computer, and selecting the Properties command from the shortcut menu. The resulting properties sheet contains a Delegation tab that can be used to configure Kerberos delegation.
Dig Deeper on Backup and recovery software
Related Q&A from Brien Posey
Through disk-based backup, continuous data protection enables backups to take place more often. Discover how to repair the technology's cost and ...continue reading
Microsoft Windows Server 2016 offers more advanced disaster recovery resources than the 2012 R2 edition. Features include deduplication, replication ...continue reading
In this Ask the Expert column, learn the most important storage technologies, including data deduplication and flash, to boost medical imaging ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.