Link Search Menu Expand Document
Veeam

Authentication and authorization

This section contains settings regarding authentication and authorization that you must consider when deploying the VSPC.

  1. Portal Users & Administrators
  2. Multi-Factor Authentication (MFA)
  3. Single Sign-On Authentication (SSO)

1. Portal Users & Administrators

By default, the only user that can access the Administrator Portal on behalf of a Service Provider is the Portal Administrator. VSPC grants this role to members of the Local Administrators user group on the machine where the VSPC Server component is installed. It is highly recommended to change this and instead make use of dedicated Active Directory security groups.

  1. In Active Directory Users and Groups create a new group called VSPC Admins.

    Dedicated VSPC account

  2. Also in Active Directory Users and Groups, create a dedicated user account for each Administrator that requires access to the VSPC and add it to the AD security group we just created.

    Dedicated VSPC account Dedicated VSPC account

  3. Login to VSPC using the Windows Local Administrator account and go to Configuration -> Roles and Users.
    Under My Company select Windows Users and click New to enter the wizard.

  4. At the Account step look for the VSPC Admins group.
    Select the group and Click Next.

    Dedicated VSPC account

  5. At the Role step click in the dropdown list and select Portal Administrator. Click Next.

    Dedicated VSPC account

  6. Click Finish to add the AD group.

    Dedicated VSPC account

  7. To be able to log in to the VSPC Web UI, users or groups must be specified in the Allow log on locally security policy setting on the machine where the VSPC Server component is installed.
    Go to Start Menu -> Run -> type secpol.msc to open the Local Security Policy.
    Under Local Policies -> User Rights Assignment edit the Allow to log on locally properties and add the AD security group with the Portal Administrators.

    Allow log on locally to VSPC Admins

  8. Now you can go back to the console url and login using the DOMAIN\USER format.

2. Multi-Factor Authentication (MFA)

For additional security of user accounts, it highly recommended to enable MFA. By default it’s up to the user on whether to configure MFA for the account or not, however MFA can also be enforced by the portal administrator. It is a best practice to enforce MFA for all users and groups with the Portal Administrator role.

Note: If you configure MFA for an account that is used for API integration, make sure to first configure an API key or the integration will stop working.

Guide: Configuring Multi-Factor authentication

3. Single Sign-On Authentication (SSO)

VSPC supports SSO authentication based on the SAML 2.0 protocol. This way service providers and resellers (from within the VSPC) can leverage their existing SSO service in order to not work with local users or yet another user domain. Administrators, resellers and end-users can access the VSPC without the need to provide credentials.

Guide: Configuring SSO authentication

SSO configuration examples:

Back to top

Copyright © 2019-2021 Solutions Architects, Veeam Software.