https://login.veeam.com/en/oauth?client_id=nXojRrypJ8&redirect_uri=https%3A%2F%2Fwww.veeam.com%2Fservices%2Fauthentication%2Fredirect_url&response_type=code&scope=profile&state=eyJmaW5hbFJlZGlyZWN0TG9jYXRpb24iOiJodHRwczovL3d3dy52ZWVhbS5jb20va2IxOTE0IiwiaGFzaCI6IjViZTc2YTYzLThlMDktNGVhYi1iZmVmLTMwMWI1NjRjNDgxNCJ9
1-800-691-1991 | 9am - 8pm ET
EN

"Invalid Credentials" error adding a Hyper-V host using a dedicated Veeam service account

KB ID: 1914
Product: Veeam Backup & Replication
Version: 7.0.0.690+
Published: 2014-08-07
Last Modified: 2021-01-13

Challenge

When adding a Hyper-V host using a dedicated local (non-domain) backup user account, an error appears:

Invalid Credentials.

Further log investigation reveals error code 0x80070005 (E_ACCESSDENIED)

Cause

The new user account; even though added to local administrators, does not have enough permissions to access DCOM, WMI, or the admin shares of the Hyper-V host and must be given permission so Veeam can communicate to the host using said services.

Solution

Hyper-V Host Reboot Required
The last step of the solution below requires that the Hyper-V host be rebooted.

To resolve:

  1. Make sure Veeam account is member of Administrators group.

  2. Launch DCOMCnfg.exe
    1. Expand Component Services > Computers
    2. Right-click on My Computer
    3. Select [Properties]
      1. Select the [COM Security] tab
      2. In the "Access Permissions" section Click [Edit Limits]
        1. Click [Add...], and enter the account used by Veeam
          1. Click [Ok]
        2. Highlight the Veeam account, and in "Permissions for" section select [Allow] for both "Local Access" and "Remote Access"
        3. Click [Ok]
      3. In the "Launch and Activation Permission" section Click [Edit Limits]
        1. Click [Add...], and enter the account used by Veeam
          1. Click [Ok]
        2. Highlight the Veeam account, and in the "Permissions for" section select [Allow] for "Local Launch", "Remote Launch", "Local Activation", and "Remote Activation"
        3. Click [Ok]
      4. Click [Ok] confirming and closing the "My Compure Properties" window.
    4. Expand My Computer > DCOM Config
    5. Locate and right-click on "Windows Management and Instrumentation"
    6. Select [Properties]
      1. Select the [Security] tab
      2. In the "Launch and Activation Permissions" section Click [Edit...]
        1. Click [Add], and enter the account used by Veeam
          1. Click [Ok]
        2. Highlight the Veeam account, and in the "Permissions for" section select [Allow] for "Local Launch", "Remote Launch", "Local Activation", and "Remote Activation"
        3. Click [Ok]
      3. Click [Ok] confirming and closing the "Windows Management and Instrumentation Properties" window.

  3. Launch WMIMgmt.msc:
    1. Right click on "WMI Control" and select [Properties]
      1. Select the [Security] tab
      2. Select Root node and click the [Security] button
        1. Click [Add...], and enter the account used by Veeam
          1. Click [Ok]
        2. Highlight the Veeam account in list
        3. Click [Advanced]
          1. Select the Veeam account in list on the [Permissions] tab
          2. click Edit
            1. Type: Allow
            2. Applies to: This namespace only
            3. Permissions: Enable Account, Remote Enable
            4. Click [Ok]
          3. Click [Ok]
        4. Click [Ok]
      3. Now back in the [Security] tab of the "WMI Control Properties" window
      4. Select the Root>CIMV2 node and click the [Security] button
        1. Click [Add...], and enter the account used by Veeam
          1. Click [Ok]
        2. Highlight the Veeam account in list
        3. Click [Advanced]
          1. Select the Veeam account in list on the [Permissions] tab
          2. click Edit
            1. Type: Allow
            2. Applies to: This namespace and subnamespaces
            3. Permissions: Enable Account, Remote Enable
            4. Set option: Only apply these permissions to objects and/or containers within this container
            5. Click [OK]
          3. Click [OK]
        4. Click [OK]
      5.  Select the Root>Virtualization node and click the [Security] button
        1. Click [Add...], and enter the account used by Veeam
          1. Click [Ok]
        2. Highlight the Veeam account in list
        3. Click [Advanced]
          1. Select the Veeam account in list on the [Permissions] tab
          2. click Edit
            1. Type: Allow
            2. Applies to: This namespace and subnamespaces
            3. Permissions: Enable Account, Remote Enable
            4. Set option: Only apply these permissions to objects and/or containers within this container
            5. Click [OK]
          3. Click [OK]
        4. Click [OK]
      6. Click [OK] and close the WMIMgmt console.

  4. Allow local accounts remote access to the host's Administrative shares (Admin$, C$).
    • Add the following registry value:
    • Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    • Type: DWORD
    • Value: LocalAccountTokenFilterPolicy 
    • Data: 1

  5. Restart the Hyper-V Host

More information

You should be able to add the Hyper-V host using the local 'administrator' account with no issue. If you are unable to add the host using the default administrator account, this KB might not apply.
KB ID: 1914
Product: Veeam Backup & Replication
Version: 7.0.0.690+
Published: 2014-08-07
Last Modified: 2021-01-13

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.
Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Spelling error in text

Knowledge base content request
By submitting, you agree that your personal data will be managed by Veeam in accordance with the Privacy Policy.

ty icon

Thank you!

We have received your request and our team will reach out to you shortly.

OK

error icon

Oops! Something went wrong.

Please go back try again later.