It is a necessary requirement that you must add your Microsoft HyperV host to the backup infrastructure that you plan to use as source and target for backup etc. Therefore, In this guide I will discuss “Invalid Credentials “Fix Failed to Connect a Hyper-V Standalone to Veeam Backup”. Please see Pleasant User Group Permission and User Access, and how to Set up Veeam Backup for Microsoft Azure. See how to Install Veeam Backup and Replication with the default PostgreSQL and How to Grant Local Admin Permissions to a Group [Part 1].
Note: You can connect standalone Hyper-V hosts, Hyper-V clusters or SCVMM servers. If a Hyper-V host is a part of a cluster or SCVMM. It is recommended that you add to the backup infrastructure a cluster or SCVMM, not a standalone Hyper-V host.
If you plan to migrate VMs between hosts in the cluster or SCVMM. You will not have to reconfigure jobs in Veeam Backup & Replication. Veeam Backup & Replication will automatically locate migrated VMs and continue processing them as usual.
Also, see how to Enable and Disable WMI Traffic through Windows CMD, and Fix VMware vCenter converter standalone started but not running.
Why was the error “Error “Failed to connect to host (IP Address), Access denied or Time out” prompted?
When you try to add a HyperV server as inventory on Veeam Backup and Replication. Tthis might fail with the following error.
Error “Failed to connect to host (IP Address), Access denied or Timeout expired. Check if you have local administrative privileges on the computer. As you can see below, the posible reasons given are not of help as this is a valid HyperV server and the credentials are correct as we will see shortly in the Windows Event Log.
Amongst other prerequisite to keep in mind, there is an update that hardened DCOM security by Microsoft. In March of 2023, Microsoft enforced this update. Therefore, preventing the non-domain-joined Veeam server from passing the target server’s local admin credentials through to join it to the backup infrastructure.
Note: The Distributed Component Object Model (DCOM) Remote Protocol is a protocol for exposing application objects using remote procedure calls (RPCs). DCOM is used for communication between the software components of networked devices
Other Prerequisites to meet
Below are some prerequisites that must be met before trying to manage a HyperV server server that is part of a domain from a VBR server that is part of a Work group. Apply the latest update might not be sufficient. You will find this being discussed in the Veeam Forum and Community.
1: Files and Printer Sharing must be enabled and allowed through Windows Firewall. If this is not done, you will get the error below. Network path not found or invalid credential.
Note: The images are update for a different Lab environment and as such I have decided to update this section.
To fix this, the VBR server needs to be able to access the HyperV shares. Navigate to the HyperV server
Turn on Sharing for everyone
Now, you should be able to access the share from the VBR server
2: The selected account used must have the local Administrator permissions on the target machine. If you are using the builtin Local Administrator account. As an extra precaution make sure you rename the account. So a potential hacker will find the account name difficult to guess.
When your organisation does not allow you (e.g. global security policy) to use the built-in local administrator account, you can create a new local account and give it administrative access. Make sure the Local Administrator account is highly secure in this case.
The downside of creating a newly administrative local account is that you will need to disable Remote User Account Control (UAC). This is because, Windows function will prevent the local accounts from running in an elevated mode when connecting from the network. Veeam accesses the ADMIN$ and C$ through the Installer Service with the local account you presented while adding the Windows server to Infrastructure in Veeam Backup & Replication. See point 4 below for more information.
3: Ensure you are able to perform HyperV name resolution over NETBIOS.
4: Optional [Disable Remote UAC ONLY if you have a new local admin account created]
Under UAC, all accounts in the local Administrators group run with a standard user access token known as UAC access-token filtering. An administrator account can run a script with an elevated privilege “Run as Administrator”. Some securable objects may not allow a standard user to perform tasks and offer no means to alter the default security.
In this case, you may need to disable UAC so that the local user account to ensure it is not filtered and instead becomes a full administrator. This is the downside of creating a newly administrative local account because Windows function prevents local accounts from running in an elevated mode when connecting from the network.
To do this, launch Windows Registry Editor and navigate to disable Remote UAC onto the HyperV (repository server) by editing following registry path.
HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Create a new DWORD Value
Name it “LocalAccountTokenFilterPolicy” give it a value of 1. Server Restart is not required in this case.
Event Log “The server side authentication level does not allow the user to active DCOM
Even with the above, you will still not be able to add HyperV to VBR inventory if you have not properly patched the VBR and HyperV server to include Microsoft DCOM hardening which we will discuss in the solution section below. This will ensure the credential cannot be validated.
If you find the following error in your log “The server's authentication level policy does not allow the HOST\Administrator SID (xxxxxxx) from address xxx.xxx.xxx.xxx to activate the DCOM server. Increase activation authentication level by at least RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in application”,If you are still experiencing the same issue, I suggest checking the HyperV event log. Although this issue can be tricky to resolve, taking a look at the event log will help you save time.
As you can see from the Security logs, the account could login but logged off
Also, you could see that the computer attempted to validate the credential without errors below.
Here is a guide on “Enable HyperV on Windows: How to install Windows 11 on HyperV“. See how to fix “An error occurred while attempting to connect to the server: Check if the Virtual Machine Management service is running or you are not authorized to connect to this server“.
Solution to fixing “Failed to connect to host (IP Address), Access denied or Timeout expired”
To help reduce app compatibility issues. Microsoft have automatically raised the authentication level for all non-anonymous activation requests from Windows-based DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY at a minimum.
With this change, most Windows-based DCOM client requests will be automatically accepted with DCOM hardening changes enabled on the server side without any further modification to the DCOM client
The resolution is to install Microsoft KB 5005102 on the Veeam server: Microsoft Update Catalog. Gladly, you do not need to search for this KB to have it installed. This is because the patch will continue to be included in the cumulative updates!
Validate HyperV host Credential
Proceed to validate your credentials once again. This should succeed as shown below.
Click Next to proceed.
Review your settings and apply
You can click Finish on the fly or click on Next to have a look at the summary page.
Click Finish to complete the step of adding HyperV host as an inventory on Veeam Backup and Replication.
This step below is irrelevant to this issue at hand. But I would like to show you the steps on how this was done in the past before the hardening introduced by Microsoft.
Do Not Perform this step: Grant remote DCOM access, activation, and launch rights to the account
The good thing here is, you do not have to manually complete this step anymore “that is, explicitly grant remote DCOM access, activation, and launch rights to the account”. This is due to the Microsoft Hardening introduced as discussed above. This is because, most Windows DCOM clients will automatically work with DCOM hardening changes on the server side without any further modification to the DCOM client.
All you need to do is to update your VBR and HyperV node and then, you should be able to add the hyperV host to the Veeam inventory.
Note: Even when you manually grant remote DCOM access, activation, and launch rights to the account, the host credential validation will fail. Microsoft recommends that clients must meet this hardening requirement.
But if you wish to learn the steps, you never can tell if you will have to do this again in the future if Microsoft changes things around. Launch component services or run dcomcnfg from the command line to launch the Component Services window.
On the My Computer, right click and select Properties to launch the My Computer Properties dialog box.
Select the COM Security tab.
If the group or user for which you want to configure access permissions are not listed, you must add them. Note: This is just a test account and just to show you how you would have explicitly granted remote DCOM access, activation, and launch rights to the account.
Select the account and ensure you assign the right permission.
lick the Edit Limits button in the Access Permissions section to launch the Access Permission dialog box. Assign all permissions.
As you can see, the permissions have been assigned. This is how you would have granted remote DCOM access, activation, and launch rights to the account.
Like I said before, even when yu manually perform these steps, the credential validation will still fail. This is because, Microsoft has changed the approach and all clients must be complaint.
I hope you found this article on “Invalid Credentials “Fix Failed to Connect a Hyper-V Standalone to Veeam Backup”” very useful. Please feel free to leave a comment below.