ATI 2018 and 2019 will not authenticate with Windows Domain Credentials
Our office is still using ATI 2017. The reason is that ATI 2018 and the just downloaded ATI 2019 will not authenticate with Windows Active Directory domain credentials. After selecting a network device as the target for the backup I get a dialog, "Authentication Settings", which asks for user name and password. The target server is a domain member and only active directory authenticated users can access the drive. Even if I typed in a user ID and password, the backup would break as soon as the user changed his/her password and furthermore cause the user's workstation to get lock out due to ATI's repeated attempts to log in using now expired credentials.
ATI 2017 had no problem with this. When the target server and file path were entered, ATI 2017 would authenticate using the domain credentials and not prompt for an ID/PW.
I don't know know how other users deal with this, but we are forced to continue with ATI 2017 even though we'd like to upgrade our 9 workstations, and add more workstation licenses. However, ATI 2017 seems to be the last version able to authenticate with AD domain credentials.
BTW - is this forum the appropriate place to post "bugs"? I don't think this is simply a usage issue.
Bobbo_3C0X1: Thanks for your comments.
This was a completely fresh installation on a new Windows 10 computer with no previous ATI installation.
At the moment, I have not created a dedicated domain account for backups. We've used the credentials for the user owning/using the workstation for this in the past and, as I mentioned, this works fine on Windows 7 and ATI 2017. Yes, these users have read/write access to the target network drive.
I reverted the ATI version to 2017 on the Windows 10 computer, but that still didn't work. Apparently, there is some difference between Windows 7 and Windows 10 in this regard. Perhaps related to your comment, "newer versions of Acronis and Windows have disabled old protocols with security vulnerability (smb 1.0, tls 1.0, etc). which make remote connection a bit more restrictive." Our Samba version is 4.6.16, which is well beyond your mentioned 1.0 (if that's related to the protocol). As far as I know, TLS is not used for this connection. But still, there is obviously something different.
Your comment about "make sure this account has administrative access on all of the computers" gave me some hope. The users on the Windows 7 computers were local administrators, but not the user on the Windows 10 computer. So, I tried making that user a local administrator, but no go.
Making the user part of the administrator group via AD GPO doesn't work as the target computer's samba will not authenticate with Administrative group credentials, possibly a limitation in Samba (or some samba settings I don't know about). That's something I could research with samba.
In the meantime, I've developed a work-around whereby the target NAS device will mount the Windows 10 drive containing the .tib files and copy them to the local file system.
I'll try a couple of more things alluded to by your comments. Otherwise, any other ideas of things I could try?
Interesting that you mention Samba... SMB 1.0 was the old connection protocol, but it's nixed in Windows 10 and Acronis 2019. Are you able to verify if SMB 2.0 is enabled on the NAS, or can be (or SMB 3.0)?
I can't find the specific thread I wanted to show you, but I believe it was a home Synology box where there were screenshots with an option to enable SMB 2.0 which fixed the authentication issues that allowed backups to start running.
So, if you use a local admin account, how is that authenticating to the NAS on the network in older versions? (Nevermind, duh)
https://www.reddit.com/r/synology/comments/362xpe/dont_forget_to_enable_smb3/
I've checked the Samba protocol on the NAS:
client max protocol = default
client min protocol = CORE
server max protocol = SMB3
server min protocol = LANMAN1
and on the Windows 10 computer:
PS C:\Windows\system32> Get-SmbConnection ohprsstorage
ServerName ShareName UserName Credential Dialect NumOpens
---------- --------- -------- ---------- ------- --------
ohprsstorage public HPRS\user HPRS.LOCAL\user 3.1.1 6
That PowerShell command does not work on Windows 7. I'll see if I can find a way to check that.
Those protocols in Samba are not explicitly set. That tells me that Samba will connect with any client's protocol from LANMAN1 to SMB3. I'll check into how to set that explicitly. I assume the "Dialect" parameter in Windows 10 (3.1.1) is the protocol. I'm not sure how to actually find the protocol used for a given client/Samba-host pair. I'll investigate.
I've also got a question in to the SambaList group on this.
More info ...
smbstatus gives the info on the protocol used. So, for the Windows 10 host in question, the connection protocol is SMB3_11. For the Windows 7 computer which does authenticate with domain credentials using with ATI 2017 (but not ATI 2018/2019), the connection protocol is SMB2_10.
Does ATI 2018/2019 require SMB3? In any case, the Windows 10 computer is using SMB3, so protocol isn't the problem.
Have you download ATI 2020 trial and see if the same issue persists? I am not hopeful but you can never discount the possibility.
Ian
Tech OHPRS, no I don't believe it requires SMB 3.0 (in the post I still can't find, the fix was to use SMB 2.0 on the home NAS).
I'm not really sure of the issue other than that. We use Windows 2012R2 and 2016 servers and have been able to authenticate with them. I'm not sure what could be the issue in this case.
Have you opened up a technical support case? You'll probably have to do the dog-and-pony show with tier 1 at first, but hopefully it can be escalated higher up without too much trouble and have someone else take a look at the problem. If it is a bug or some type of protocol issue, this would be the way to bring it to light and allow Acronis to try and fix it.
IanL-S: SInce it's a bit of a pain to uninstall ATI and make sure it's ALL gone, and then reinstall 2020, I'm going to go with my work-around for the time being and try ATI 2020 on the next Windows 10 computer. Which will be fairly soon.
Bobbo_3C0X1: I will experiment with forcing SMB2.0. That might explain why neither ATI 2017 nor ATI 2019 and 2019 work on the Windows 10 computer (or not).
IanL-S, can you confirm what version your 2012R2 and 2016 servers are running?
Bobbo_3C0X1 wrote:Tech OHPRS, no I don't believe it requires SMB 3.0 (in the post I still can't find, the fix was to use SMB 2.0 on the home NAS).
ATI on one of my computers backups up to a WD MyBookLive using SMB 2.0.2. Actually, I've got a desktop and two laptops backing up to that NAS. No problems with either ATI 2019 or 2020.
Sorry for the long delay, but we've just recently installed Windows 10. And, I've installed ATI 2020 to test on one of the workstations. To recap, I am trying to backup to an network device.
I've done as Bobbo_3C0X1 suggested in reply #1. Specifically, 1) created a dedicated domain user for doing these backups whose password doesn't expire 2) entered the credentials using domain\user, not just user.
When trying to use only the user ID without the domain prefix it would not validate. The NAS connection does not even ask for credentials. It just goes ahead and uses the logged in user's credentials automatically, which is pretty much the point of AD authentication. This is an apparent change from ATI2017 and Windows 7 since I did not have to explicitly enter credentials.
Nevertheless, the backup to the NAS now works, so problem solved. I can now upgrade the office to ATI 2020.
btw - we are no longer user SMB1.0 on any office computers. That was a tangled web! For anyone struggling with that issue, Microsoft is no help. Here is a fantastic post on how to do that: https://www.ixsystems.com/community/resources/how-to-kill-off-smb1-netb…