#1 Global Leader in Data Protection & Ransomware Recovery
#1 Global Leader in Data Protection & Ransomware Recovery
BACK TO KB LIST

Access Denied Error After Migrating Configuration from MFA-Enabled Server

KB ID: 4477
Product: Veeam Backup & Replication | 12
Published: 2023-08-03
Last Modified: 2024-04-23
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please try again later.

Challenge

After performing Configuration Restore using the Migration mode from a Configuration Backup created by a Veeam Backup & Replication server that had MFA enabled, login attempts using local accounts cause the Veeam Backup & Replication Console to display the error:

Failed to connect to Veeam Backup & Replication server:
Access denied.
Error
While this issue will always occur when using the Migrate mode to move between machines, it is more noticeable when migrating from a domain-joined machine to a non-domain-joined machine due to only being able to use local accounts to sign in via the Veeam Backup & Replication Console.

Cause

This issue occurs because the local account being used to log in has no Role assigned within the migrated Configuration Database and therefore has no access. The user accounts, their respective roles, and MFA data are stored within the Configuration Database using the use account's SID. While the local account names between the two machines may be the same, the SID is different and is therefore treated as a user that was never assigned a role.

Note: This same issue will impact domain accounts when migrating the configuration to a machine in a different domain that uses the same domain account names as the initial domain to which the original machine was connected.

Solution

Scenario 1: Migrating to a Machine Joined to the Same Domain

If the configuration migration was to a machine joined to the same domain as the original Veeam Backup Server, sign in to the Veeam Backup & Replication Console using a domain account that was assigned a Veeam Backup Administrator role and remove the local accounts associated with the old machine from the Users and Roles panel, then readded local accounts from the new machine as needed.

 

Scenario 2: Migrating to a Machine That Is Not in a Domain or Joined to a Different Domain

If the configuration migration was to a machine that is not in a domain or is joined to a different domain than the original Veeam Backup Server, review the following options:

Option 1: Perform Configuration Restore Using "Restore" Mode
  1. Restore the configuration again, and this time select the "Restore" option on the Restore Mode tab.
  2. During the Configuration Restore, a Warning will be displayed with the following message: 
    Disabling multi-factor authentication, be sure to enable it back after the recovery.
  3. After completing the Configuration Restore, sign in to the Veeam Backup & Replication Console using the local Administrator account.
  4. Open the Users and Roles Security panel.
  5. Remove Users associated with the old Veeam Backup Server or domain that the machine previously connected to.
  6. Add accounts as needed and assign their roles.
    Remember to assign at least one account the role of Veeam Backup Administrator.
  7. Enable MFA.
    Note: Each added account must perform the initial MFA setup steps on the next login.
Option 2: Modify The Configuration Database To Disable MFA
  1.  Use the query below to modify the configuration database, disabling MFA:
    KB1443: How to apply a SQL script to Veeam Backup & Replication/Veeam Backup Enterprise Manager Database

For Microsoft SQL:

UPDATE [dbo].[Options] set value = 'False' where name = 'GlobalMFA'
For PostgreSQL: 
UPDATE public.Options set value = 'False' where name = 'GlobalMFA';
  1. Sign in to the Veeam Backup & Replication Console using the local Administrator account.
  2. Open the Users and Roles Security panel.
  3. Remove Users associated with the old Veeam Backup Server or domain that the machine previously connected to.
  4. Add accounts as needed and assign their roles.
    Remember to assign at least one account the role of Veeam Backup Administrator.
  5. Enable MFA.
    Note: Each added account must perform the initial MFA setup steps on the next login.
Option 3: Override MFA Requirement By Temporarily Assigning Administrator Account as Service Log On
  1. Open the Services control panel (services.msc)
  2. Open the properties of the Veeam Backup Service service.
  3. On the Log On tab, select the option "This account:" and enter Administrator and provide the password for the local Administrator account.
  4. Restart the Veeam Backup Service service.
  5. Sign in to the Veeam Backup & Replication Console using the local Administrator account.
  6. Open the Users and Roles Security panel.
  7. Remove Users associated with the old Veeam Backup Server or domain that the machine previously connected to.
  8. Add accounts as needed and assign their role.
    Remember to assign at least one account the role of Veeam Backup Administrator.
  9. Enable MFA.
    Note: Each added account must perform the initial MFA setup steps on the next login.
  10. Return Veeam Backup Service service's Log On As setting to "Local System account," and restart the service.
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case
By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Start using Veeam:
Download the product
&
Activate the license key
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please try again later.