"Invalid Credentials" error adding a Hyper-V host using a dedicated Veeam service account

KB ID:
1914
Product:
Veeam Backup & Replication
Version:
7.0.0.690+
Published:
Last Modified:
2014-08-07

Challenge

When adding a Hyper-V host using a dedicated backup user account, an error appears: "Invalid Credentials." Further log investigation reveals error code 0x80070005 (E_ACCESSDENIED)

Cause

The new user account; even though added to local administrators, does not have enough permissions to access DCOM, WMI, or the admin shares of the Hyper-V host and must be given permission so Veeam can communicate to the host using said services. 

Solution

To resolve:

  • Make sure Veeam account is member of Administrators group·         Launch DCOMCnfg.exe

    • Navigate to Component Services > Computers > Right-click My Computer a> Properties > COM Security tab

    • Access Permissions > Edit Limits > Add Veeam account and Allow Local Access & Remote Access

    • Launch and Activation Permission > Edit Limits > add Veeam account and Allow Local Launch, Remote Launch, Local Activation, Remote Activation. 

    • Navigate to My Computer > DCOM Config > Right-click Windows Management and Instrumentation > Properties > Security Tab

    • Launch and Activation Permissions > Customize > Edit > add Veeam account and Allow Local Launch, Remote Launch, Local Activation, Remote Activation

  • Launch WMIMgmt.msc:

    • Right click WMI Control > Properties > Security tab

    • Select Root node > click Security button

    • Add Veeam account to Group or user name > click Advanced > Permission Entries > select the Veeam account > click Edit

    • Type: Allow

    • Applies to: This namespace only

    • Permissions: Enable Account, Remote Enable

    • Click OK on all open dialogs

    • Navigate back to the node list in the Security tab

    • Select the CIMV2 node…click Security button

    • Add Veeam account to Group or user name > click Advanced > Permission Entries > select the Veeam account > click Edit

      • Type: Allow

      • Applies to: This namespace and subnamespaces

      • Permissions: Enable Account, Remote Enable

      • Set option: Only apply these permissions to objects and/or containers within this container

      • Click OK on all open dialogs

      • Navigate back to the node list in the Security tab

    • Select the virtualization node…click Security button

    • Add Veeam account to Group or user name > click Advanced > Permission Entries > select the Veeam account > click Edit

      • Type: Allow

      • Applies to: This namespace and subnamespaces

      • Permissions: Enable Account, Remote Enable

      • Set option: Only apply these permissions to objects and/or containers within this container

      • Click OK on all open dialogs

      • Navigate back to the node list in the Security tab

      • Click OK and close the WMIMgmt console. 

  • Allow access to the host's Administrative shares (Admin$, C$)

    • Add the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.

  • Create a DWORD value called LocalAccountTokenFilterPolicy and assign it a value of 1

  • Restart the Hyper-V Host

More Information

You should be able to add the Hyper-V host using the local 'administrator' account with no issue. If you are unable to add the host using the default administrator account, this KB might not apply.

Please be aware that we’re making changes which will restrict access to product updates for users without an active contract.

OK

Rate the quality of this KB article: 
3.7 out of 5 based on 39 ratings

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.

Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Spelling error in text:

Submit