Products
Veeam Data Cloud

SaaS Data Protection Solution

Backup & Recovery service for:

Microsoft 365 & Entra ID

Microsoft Azure

Salesforce

Vault Cloud Storage

Veeam Data Platform

Self-managed data protection software for hybrid and multi-cloud environments

Data Protection

Cyber Security

AI-Driven Insights

Sovereignty, Governance & Compliance

Services

Cyber Extortion Response

Cyber Secure Program

Workload Specific

Solutions for individual applications

Backup for Microsoft 365

Backup for Microsoft Entra ID

Backup for Salesforce

Backup for Kubernetes

Backup for AWS

Backup for Microsoft Azure

Backup for Google Cloud

NEW RELEASE

Veeam Data Platform v13

Simplify operations and strengthen security with Veeam’s most intelligent and secure release yet

Explore now

Comprehensive data resilience for hybrid, multi-cloud and SaaS data

Data Backup
Automated backup solutions that evolve across platforms and locations

Data Recovery
Plan, test, automate, and scale recovery operations to defy any disruption

Data Portability
Move and store your data wherever you need it with no vendor lock-in

Data Security
The trusted leader in data resilience helping you protect smarter, detect faster, and recover clean.

Data Intelligence
AI-powered tools to automate analysis, enhance decisions, and stay secure

BENCHMARK YOUR RESILIENCE

Align Resilience to Business & Compliance Goals

Discover how leaders identify risk with the Data Resilience Maturity Model

explore now

Hybrid & Multi-Cloud

Veeam Backup & Replication CE

All Free Tools

Cloud

Veeam Backup for AWS Free

Veeam Backup for Microsoft Azure Free

Veeam Backup for Google Cloud Free

Veeam Kasten Free

SaaS

Veeam Backup for Microsoft 365 CE

Veeam Insights for Microsoft 365

Veeam for Salesforce CE

Veeam Data Platform

Self-managed data protection software for hybrid and multi-cloud environments

Packaging & Enterprise Editions

Veeam Data Cloud

SaaS Data Resilience Solutions

Purchasing Options

All Products

Find a Reseller

Buy Online
Solutions
Use Case

Ransomware Recovery

Hybrid Cloud

Microsoft SaaS Data Protection

Industries

Government

Education

Financial Services & Insurance

Healthcare

Business Type

Enterprise

Small Business

Service Provider

Services

Cyber Extortion Response

Cyber Secure Program

Alliance Technologies

See All Veeam Alliance Partners

AWS

Cisco

Google

HPE

Lenovo

Microsoft

VMware

Alliance Partner Integrations & Qualifications

Environment

SaaS  Microsoft 365 | Microsoft Entra ID | Salesforce

Cloud  AWS | Azure | Google | Kubernetes

Virtual  VMware | Hyper-V | Nutanix AHV | Oracle Linux VM | RHV | Proxmox | Scale Computing

Physical  Windows | Linux | MacOS | Unix | NAS

Apps  Microsoft | Oracle | SAP Hana | PostgreSQL | MongoDB
Support
Get Support

Support

Open a Case

Track Your Case

Support Policy

Renewals Center

Renewals

Services

Veeam Customer Success

Training & Education

Veeam University

Kubernetes Learning Portal

Support Resources

Veeam Data Cloud Changelog

Technical Documentation

Knowledge Base

Kasten Technical Documentation

Kasten Knowledge Base

Downloads

All Product Downloads

Community

Community Resource Hub

Community Experts

R&D Forums
Resources
Thought Leadership

Data Resilience Maturity Model

Resource Library

White Papers

Solution Briefs

Analyst Reports

See All Resources

Customer Stories

See All Stories

Blog

Veeam Blog

Glossary

Veeam Glossary

Events & Webinars

VeeamON

Events

Upcoming Webinars

On-Demand Webinars

Product Demo

On-Demand Platform Demo

Upcoming Product Demos

On-Demand Product Demos

Resilience Benchmarking

Data Resilience Maturity Model
Partners
WHY PARTNER WITH VEEAM

Become a Partner

Value-Added Reseller

Service Provider

Global System Integrator

Technology Alliance

Find a Partner

Find a Partner

Partner Resources

ProPartner Portal
CXOs
Veeam’s exclusive community that brings together a suite of experiences & resources for executive leaders.

Gain access to:

Conversations between influential tech leaders

Meaningful connection and candid dialogue

Peer-to-peer collaborative problem-solving

Thought Leadership

be: Ready - Explore expert guidance, trends, and innovations at our leadership hub online

INSIGHTS & RESEARCH FOR CXOs

Executive Exchange Events

Networking, insights, and shared CXO experiences at exclusive events worldwide

Events for CXOs

Veeam Support Knowledge Base
Unable to Interact with Some Hypervisors and Cloud Platforms

Unable to Interact with Some Hypervisors and Cloud Platforms

KB ID:	4687
Product:	Veeam Backup & Replication \| 12.2 \| 12.3 \| 12.3.1 \| 12.3.2 \| 13 Veeam Backup for Nutanix AHV Veeam Backup for AWS Veeam Backup for Microsoft Azure Veeam Backup for Google Cloud Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Veeam Kasten for Kubernetes Veeam Plug-In for Proxmox VE
Published:	2024-11-19
Last Modified:	2025-12-02

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

Oops! Something went wrong.

Please, try again later.

Veeam Backup & Replication 13.0.1 Upgrade Warning

During the upgrade to Veeam Backup & Replication 13.0.1 or higher, the following warning may be displayed:

Incompatible backup server certificate
The certificate does not support child certificates creation and must be replaced for virtualization and cloud plug-ins to function, see KB4687 for instructions.

The resolution for this issue can be found below in the section:
Issue 2: The Veeam Backup Server Certificate is missing the field "Basic Constraints".

Challenge

After deploying or upgrading to Veeam Backup & Replication 12.2 or higher, Veeam Backup & Replication may be unable to communicate with Virtualization and Cloud Platforms that are added to Veeam Backup & Replication via a Plug-In module (i.e., Nutanix AHV, Red Hat Virtualization, and Oracle Linux Virtualization Manager, Veeam Backup for AWS, Veeam Backup for Google Cloud, Veeam Backup for Microsoft Azure).

For Virtualization Platforms, this behavior will manifest as an inability to see these platforms listed when attempting to add them to Veeam Backup & Replication (as shown below).

Solution

Starting with version Veeam Backup & Replication 13.0.1.180, there are three identified possible causes for this problem.

Please review each issue's description, which details the logs to check, the specific error to look for, and provides an expandable section with the solution.

Issue 1: MFA Blocking Platform and Cloud Plug-Ins

Related Log File: C:\ProgramData\Veeam\Backup\Utils\Util.InfrastructureStatistic.log
Error Example:
Error (1) Failed to login to platform service (ID: [{guid}]): Failed to execute VeeamAuth: 'Veeam.Backup.Identity.Client.TokenAuthenticationException: Unable to perform authorization: The client does not have access permissions for the resource.

Solution for MFA Blocking Platform and Cloud Plug-Ins

^{Affects Veeam Backup & Replication 13.0.1.180}

Due to an unintended behavior change in Veeam Backup & Replication 13.0.1.180, when MFA is enabled (or was enabled prior to an in-place upgrade), the LocalSystem account is not assigned a Service Account role, which would allow it to bypass MFA. To correct this issue, the account "NT AUTHORITY\SYSTEM" must be added explicitly to the Users and Roles list as a Backup Administrator and assigned as a Service Account.

This can be identified by reviewing: C:\ProgramData\Veeam\Backup\Utils\Util.InfrastructureStatistic.log

Error (1)    Failed to login to platform service (ID: [{guid}]): Failed to execute VeeamAuth: 'Veeam.Backup.Identity.Client.TokenAuthenticationException: Unable to perform authorization: The client does not have access permissions for the resource.Error (1)    Failed to generate certificate.

This error "The client does not have access permissions for the resource." can also be found in logs related to each plug-in:

C:\ProgramData\Veeam\Backup\Plugins\AWS\Veeam.AWS.PlatformSvc.log
C:\ProgramData\Veeam\Backup\Plugins\GCP\Veeam.GCP.PlatformSvc.log
C:\ProgramData\Veeam\Backup\Plugins\Kasten\Veeam.Kasten.PlatformSvc.log
C:\ProgramData\Veeam\Backup\Plugins\KVM\Veeam.KVM.PlatformSvc.log
C:\ProgramData\Veeam\Backup\Plugins\Microsoft Azure\Logs\Veeam.Azure.PlatformSvc.log
C:\ProgramData\Veeam\Backup\Plugins\PVE\Veeam.PVE.PlatformSvc.log
C:\ProgramData\Veeam\Backup\Plugins\SCP\Veeam.SCP.PlatformSvc.log

To resolve this issue:

Open the Veeam Backup & Replication Console.
Click the Main Menu (≡), and select Users and Roles.
Add a new user named NT AUTHORITY\SYSTEM
Assign the role Veeam Backup Administrator and enable the check box "This is a service account".

An "Add user" dialog box is open. The "Name" field is set to "NT AUTHORITY\SYSTEM" and the "Role" dropdown is set to "Veeam Backup Administrator." A checkbox is selected for "This is a service account (disables multi-factor authentication)." There are "OK" and "Cancel" buttons at the bottom.

Restart the Veeam Backup Server.

Issue 2: The Veeam Backup Server Certificate is missing the field "Basic Constraints".

Related Log File: C:\ProgramData\Veeam\Backup\Svc.PlatformDbProvider.log

Error Example:

Error (1)    Failed to generate certificate.
Error (1)    The issuer certificate does not have a Basic Constraints extension. (Parameter 'issuerCertificate') (System.ArgumentException)

Secondary Logged Message:

Failed to generate child certificate from Veeam backup server certificate.

Solution for The Veeam Backup Server Certificate is missing the field "Basic Constraints".

^{Affects Veeam Backup & Replication 13.0.1.180}

On Veeam Backup Servers, where the Veeam Backup & Replication software was initially installed using a much older version and has been upgraded over the years, the initial Veeam Backup Server Certificate may not contain the field "Basic Constraints, which may cause issues with Platform Plug-Ins.

This can be identified by reviewing the PlatformDbProvider log file: C:\ProgramData\Veeam\Backup\Svc.PlatformDbProvider.log

Error (1)    Failed to generate certificate.
Error (1)    The issuer certificate does not have a Basic Constraints extension. (Parameter 'issuerCertificate') (System.ArgumentException)

You can view the current Backup server certificate in Main Menu > Options > Security:

The Veeam Backup & Replication Console is shown with the maun menu active and the "Options" menu item is highlighted.

The "Options" window is open to the "Security" tab. Under "Backup server certificate," a self-signed certificate labeled "CN=Veeam Backup Server Certificate" is displayed. There is an "Install..." link on the right side, allowing the user to install a different certificate.

Screenshot of Veeam Backup Server certificate with Basic Constraint field missing with a red faint X over the image to indicate wrong.

Basic Constraint Missing

Screenshot of Veeam Backup Server certificate with the Basic Constraint field present with a green faint checkmark over the image to indicate correct.

Basic Constraint Present

Certificate Regeneration Will Require Updating Other Component Connections

Per the Veeam Backup & Replication User Guide, Backup Server Certificate section:

If you update the TLS certificate used on the backup server, you must also do the following:

If multi-factor authentication is enabled, any Veeam Backup & Replication consoles connected to the backup server must be restarted to avoid connection issues.
If you use Veeam Plug-In for Nutanix AHV, restart the Veeam AHV Service. For more information on restarting services, see Performing Maintenance Tasks.
For RHV Backup proxies, pass through the Edit Red Hat Virtualization Proxy wizard. To do this, in the Backup Infrastructure view, right-click a proxy and select Properties. In the wizard, click Finish.
For VMware clusters, pass through the I/O filter Management wizard as described in section Installing I/O Filter.
For CDP proxies, pass through the Edit CDP Proxy wizard. To do this, in the Backup Infrastructure view, right-click a proxy and select Properties. In the wizard, click Finish.

To avoid potential synchronization issues, make sure that Veeam Agents are synchronized with Veeam Backup & Replication before you change the existing certificate. To learn more, see Rescan Job.
[For protection groups for pre-installed Veeam Agents] If you change the existing certificate, you must export a new package with setup files to deploy Veeam Agents on new computers that you want to add to the protection group.To learn more, see Specifying Packages.

Note: If your environment does not use the default self-signed certificate, you must ensure that the CA-signed certificate you provide to Veeam Backup & Replication contains the Basic Constraints extension, and Subject Type = CA must be set within that extension.

For deployments using the self-signed Veeam Backup Service Certificate, a new one must be generated:

From the Main Menu, click Options

In the Options dialog box, select the Security tab.
On the Security tab, click "Install..." in the "Backup server certificate" section.

In the Certificate creation wizard, select the option for Generate a new certificate, and click Next.

The "Manage Certificate" wizard is open to the "Certificate Type" step. Options are listed for SSL certificate selection: "Keep the existing certificate," "Generate a new certificate" (selected), "Select an existing certificate from the certificate store," and "Import certificate from a file." A description for each choice is provided. The "Next >" button is highlighted at the bottom.

On the Generate Certificate step, leave the friendly name as Veeam Backup Server Certificate, and click Next.

The "Manage Certificate" wizard is open to the "Generate Certificate" step. The user is prompted to enter a friendly name for the new self-signed certificate, with the field set to "Veeam Backup Server Certificate." A note below indicates the certificate will not originate from a trusted certification authority (CA). "Next >" and "Cancel" buttons are visible at the bottom.

On the Summary steps, click Finish.

The "Manage Certificate" wizard is open to the "Summary" step. Certificate details are shown, including name ("Veeam Backup Server Certificate"), issued to, issued by , expiration date, thumbprint, and serial number. The "Finish" button at the bottom right is highlighted, allowing the user to complete the certificate generation process.

After the Certificate wizard closes, you'll be returned to the Veeam Backup & Replication Console where a dialog box will appear stating:
```
Backup server certifcate has been changed.
This console will be restarted.
```
Click OK.

A Veeam Backup and Replication dialog box displays a warning icon and the message: "Backup server certificate has been changed. This console will be restarted." There is an "OK" button at the bottom right.

Restart the Veeam Backup Server.

The Veeam Backup Server must be restarted to cause all services to restart and reinitiate communication.
After the reboot, allow the Veeam-related services time to start. They are set to Automatic (Delayed Start) and may take up to 10 minutes after the machine boots to start fully.
Once all the Veeam-related services are started, launch the Veeam Backup & Replication console and accept the new server certificate.

The Veeam Backup & Replication console login screen prompts the user to specify the backup server, with "localhost" selected. A red warning message below states, "Backup server certificate has been changed." There is a green "Connect" button and a "Save shortcut" link.

The Veeam Backup & Replication console displays an "Untrusted server certificate" warning. It indicates that "Server localhost has an untrusted certificate," showing the certificate thumbprint. There is an option to "View Certificate," and buttons labeled "Yes" and "No" ask, "Trust this server?"

The options to interact with Virtualization Platforms that are added to Veeam Backup & Replication via a Plug-In module (i.e., Nutanix AHV, Red Hat Virtualization, and Oracle Linux Virtualization Manager), should have returned to full functionality.

Issue 3: PlatformDbProvider Service Using Wrong Port

Related Log Files and Examples:

C:\ProgramData\Veeam\Backup\Plugins\PVE\Veeam.PVE.PlatformSvc.log

ERROR | [PlatformService]: Failed to start PlatformService: System.Net.Http.HttpRequestException: No connection could be made because the target machine actively refused it. (localhost:6172)
ERROR | [PlatformService]:  ---> System.Net.Sockets.SocketException (10061): No connection could be made because the target machine actively refused it.

C:\ProgramData\Veeam\Backup\Plugins\RHV\Veeam.RHV.PlatformSvc.log C:\ProgramData\Veeam\Backup\Plugins\AHV\Veeam.AHV.PlatformSvc.log

ERROR | [StorageClient]:  ==> Response "Get" "https://localhost:6172/api", "status: Error", duration: "2 sec 32 msec", body: """"
ERROR | [StorageClient]: Exception accrued during connection attempt: No connection could be made because the target machine actively refused it. (localhost:6172)

Solution for PlatformDbProvider Service Using Wrong Port

^{Affects Veeam Backup & Replication 12.2 and higher}

This issue occurs because the Platform Service (Veeam PVE Service/Veeam AHV Service/Veeam KVM Service) fails to establish a connection to Veeam Backup & Replication over the expected port (6172).

When this occurs, the log Platform Service logs will contain the following:

C:\ProgramData\Veeam\Backup\Plugins\PVE\Veeam.PVE.PlatformSvc.log

ERROR | [PlatformService]: Failed to start PlatformService: System.Net.Http.HttpRequestException: No connection could be made because the target machine actively refused it. (localhost:6172)
ERROR | [PlatformService]:  ---> System.Net.Sockets.SocketException (10061): No connection could be made because the target machine actively refused it.

C:\ProgramData\Veeam\Backup\Plugins\RHV\Veeam.RHV.PlatformSvc.log
C:\ProgramData\Veeam\Backup\Plugins\AHV\Veeam.AHV.PlatformSvc.log

ERROR | [StorageClient]:  ==> Response "Get" "https://localhost:6172/api", "status: Error", duration: "2 sec 32 msec", body: """" 
ERROR | [StorageClient]: Exception accrued during connection attempt: No connection could be made because the target machine actively refused it. (localhost:6172)

Reboot Required

This solution requires the Veeam Backup Server to be rebooted, please plan accordingly.

To resolve the connectivity issue, ensure that the registry value controlling the dbProvider port has been set to the correct port.

Set the following registry value to the correct value as shown:

Key Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\API\DbProvider
Value Name: Port
Value Type: DWORD (32-Bit) Value
Value Data(Decimal): 6172

Set value using PowerShell:

New-ItemProperty -Path 'HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication\API\DbProvider' -Name 'Port' -Value "6172" -PropertyType DWORD -Force
                
            

Reboot the Veeam Backup Server.

If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

Product

Topic

Description

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

I would like to receive a follow-up email regarding my feedback

Verify your email to continue your product download

We've sent a verification code to:

An email with a verification code was just sent to

Didn't receive the code? Click to resend in sec

Didn't receive the code? Click to resend

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.