Veeam backup error “Error: Failed to connect to guest agent. Errors: ‘Cannot connect to the host’s administrative share” / Access Denied when accessing Admin Shares (\\IPaddress\C$)

If your Windows Server 2008 box is in a WorkGroup and you require access to one of the admin shares, it can be a little more complicated than with Server 2003.
I had to setup a Veeam backup job for backing up a VM running Windows 2008 in WorkGroup. Initial backup job with default settings went well and I had the enabled “Application Aware Image Processing” and “Guest File System Indexing”. For this I had setup a local admin account on Windows 2008 and provided the credentials in Veeam backup job. Job failed on the test run with below error
'ServerHostName' Error: Failed to connect to guest agent. Errors: 'Cannot connect to the host's administrative share. Host: [10.0.0.11]. Account: []. Win32 error:Logon failure: unknown user name or bad password. Code: 1326 '
10.0.0.11 is the Server IP and I tried to access \\10.0.0.11\C$ and I got the windows asking for credentials. With the local admin account created and it worked from same server. When I tried remotely from Backup server, It was showing “Access Denied” error when provided user and password. It was quiet surprising because it is a local admin use and that’s the issue then.
Access Denied error eliminated possible causes like
1)      “Server” Service not running (should have thrown “The specified network name no longer available” error)
2)      File and Pinter sharing disabled on NIC properties
3)       Secpol.msc -> user rights assignment -> “Access this computer from network” and  “Deny Access to this computer from network” (error should be something like “Logon failures: the user has not been granted the requested login type at this computer” error.
Also checked few things like Start -> Run -> fsmgmt.msc and Administrative shared looks good here
Then finally the fix
Issue was with UAC and here is a KB articles http://support.microsoft.com/kb/951016 and http://support.microsoft.com/kb/942817 talks about this issue in Vista.
So it is a security feature and From the KB Article:  “How UAC remote restrictions work: To better protect those users who are members of the local Administrators group, we implement UAC restrictions on the network. This mechanism helps prevent against "loopback" attacks. This mechanism also helps prevent local malicious software from running remotely with administrative rights.”
So please be sure about the risks.
 So what I had to do was -
1)      Right Click on PowerShell Icon in the system tray
2)      Right click on “Windows PowerShell”
3)      Run as Administrator 










4)      Execute below command
New-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -name "LocalAccountTokenFilterPolicy" -value "1" -propertyType dword

Thanks!
R.Hari

Comments

Post a Comment

Popular posts from this blog

vCenter Maintenance - Issue Non-ephemeral Portgroup

vMotion Failing at 21% with error ""The vMotion failed because the destination host did not receive data from the source host on the vMotion network. Please check your vMotion network settings and physical network configuration and ensure they are correct."

applmgmt service wont start on PSC Appliace post converge operation