Does Kerberos authentication present challenges when trying to create backups? If so, how can those issues be addressed?
In most cases, Kerberos authentication does not cause problems for backup and recovery. The major backup vendors design their products in a way that takes Kerberos authentication into account; therefore the backup application does not burden the administrator with any Kerberos-related configuration issues. However, there are exceptions.
Kerberos authentication can occasionally become an issue when Windows systems are being backed up using a backup application that is running on a non-Windows server. For instance, there are Linux-based backup applications that require special configurations (related to Kerberos) if they are going to be backing up Windows servers.
There are two main reasons why Kerberos authentication can sometimes be an issue. First, some non-Windows systems include a Kerberos module that doesn't offer quite as much functionality as native Windows-based Kerberos does. This doesn't usually cause any problems as long as the administrator adheres to the system requirements and configures the software correctly.
The other reason why Kerberos can sometimes be problematic for backup and recovery operations has to do with trust. When a Windows Server needs to copy data to or from another Windows Server, the CredSSP protocol is often used. This protocol is certificate-based and doesn't usually require any special configuration. The problem is that CredSSP is only valid over a single hop.
Kerberos offers a higher degree of flexibility for operations that require multiple hops, but Constrained Delegation may need to be enabled. Constrained Delegation allows a Windows Server to perform certain tasks on behalf of another Windows Server, thereby making multi-hop operations possible. Constrained Delegation can be enabled through the Active Directory Users and Computers console by right clicking on the container representing a target computer, and selecting the Properties command from the shortcut menu. The resulting properties sheet contains a Delegation tab that can be used to configure Kerberos delegation.
This was first published in March 2014