Veeam Cloud Connect jobs fail with "Authentication failed because the remote party has closed the transport stream" error

Challenge

After upgrade of Veeam Backup & Replication on the Veeam Cloud Connect service provider's backup server to version 10, tenant jobs may start failing with the following error: "Authentication failed because the remote party has closed the transport stream". At the same time, the Svc.VeeamCloudConnect.log log file displays the following error: "A call to SSPI failed, see inner exception".

The issue can be spotted in the following logs:

Job.log (on the tenant side)

[15.06.2020 11:00:00] <01> Error    Authentication failed because the remote party has closed the transport stream. (System.IO.IOException)
[15.06.2020 11:00:00] <01> Error       at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
...
[15.06.2020 11:00:00] <01> Error       at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
[15.06.2020 11:00:00] <01> Error       at Veeam.Backup.Core.CSocketInvokerClient.InvokeImpl(TcpClient client, CSocketInvokerParams args, Int32 threadId)
[15.06.2020 11:00:00] <01> Error       at Veeam.Backup.Core.CSocketInvokerClient.TryInvoke(CSocketInvokerParams invokerParams)

Svc.VeeamCloudConnect.log (on the service provider side)

[15.06.202011:00:00] <234> Error    A call to SSPI failed, see inner exception. (System.Security.Authentication.AuthenticationException)
[15.06.202011:00:00] <234> Error       at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
[15.06.202011:00:00] <234> Error       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
...
[15.06.202011:00:00] <234> Error       at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
[15.06.202011:00:00] <234> Error       at Veeam.Backup.CloudService.CSocketInvokerServerProtocol.InvokeImpl(SPerfomanceCounterInvokerInfo& perfCounterInfo)
[15.06.202011:00:00] <234> Error       at Veeam.Backup.CloudService.CCloudPerfomanceCountersCollector.CollectInvokerPerfomanceCounter(PerfomanceCounterAction invoker)
[15.06.202011:00:00] <234> Error       at Veeam.Backup.CloudService.CSocketInvokerServerProtocol.Invoke()
[15.06.202011:00:00] <234> Error    The specified data could not be decrypted (System.ComponentModel.Win32Exception)

Cause

Windows updates related to a new .Net Framework enforce a security check and do not allow to establish a secure connection between Veeam backup servers on the tenant side and service provider side using a weak Diffie-Hellman Ephemeral (DHE) key.

Solution

Install recommended Windows updates on the tenant Veeam Backup & Replication server or Veeam Agent for Microsoft Windows machines. For details, see https://support.microsoft.com/en-us/help/3061518/ms15-055-vulnerability-in-schannel-could-allow-information-disclosure.