Access Denied Error After Migrating Configuration from MFA-Enabled Server
Challenge
After performing Configuration Restore using the Migration mode from a Configuration Backup created by a Veeam Backup & Replication server that had MFA enabled, login attempts using local accounts cause the Veeam Backup & Replication Console to display the error:
Failed to connect to Veeam Backup & Replication server: Access denied.
Cause
This issue occurs because the local account being used to log in has no Role assigned within the migrated Configuration Database and therefore has no access. The user accounts, their respective roles, and MFA data are stored within the Configuration Database using the use account's SID. While the local account names between the two machines may be the same, the SID is different and is therefore treated as a user that was never assigned a role.
Note: This same issue will impact domain accounts when migrating the configuration to a machine in a different domain that uses the same domain account names as the initial domain to which the original machine was connected.
Solution
Scenario 1: Migrating to a Machine Joined to the Same Domain
If the configuration migration was to a machine joined to the same domain as the original Veeam Backup Server, sign in to the Veeam Backup & Replication Console using a domain account that was assigned a Veeam Backup Administrator role and remove the local accounts associated with the old machine from the Users and Roles panel, then readded local accounts from the new machine as needed.
Scenario 2: Migrating to a Machine That Is Not in a Domain or Joined to a Different Domain
If the configuration migration was to a machine that is not in a domain or is joined to a different domain than the original Veeam Backup Server, review the following options:
Option 1: Perform Configuration Restore Using "Restore" Mode
- Restore the configuration again, and this time select the "Restore" option on the Restore Mode tab.
- During the Configuration Restore, a Warning will be displayed with the following message:
Disabling multi-factor authentication, be sure to enable it back after the recovery.
- After completing the Configuration Restore, sign in to the Veeam Backup & Replication Console using the local Administrator account.
- Open the Users and Roles Security panel.
- Remove Users associated with the old Veeam Backup Server or domain that the machine previously connected to.
- Add accounts as needed and assign their roles.
Remember to assign at least one account the role of Veeam Backup Administrator. - Enable MFA.
Note: Each added account must perform the initial MFA setup steps on the next login.
Option 2: Modify The Configuration Database To Disable MFA
- Use the query below to modify the configuration database, disabling MFA:
KB1443: How to apply a SQL script to Veeam Backup & Replication/Veeam Backup Enterprise Manager Database
For Microsoft SQL:
- Sign in to the Veeam Backup & Replication Console using the local Administrator account.
- Open the Users and Roles Security panel.
- Remove Users associated with the old Veeam Backup Server or domain that the machine previously connected to.
- Add accounts as needed and assign their roles.
Remember to assign at least one account the role of Veeam Backup Administrator. - Enable MFA.
Note: Each added account must perform the initial MFA setup steps on the next login.
Option 3: Override MFA Requirement By Temporarily Assigning Administrator Account as Service Log On
- Open the Services control panel (services.msc)
- Open the properties of the Veeam Backup Service service.
- On the Log On tab, select the option "This account:" and enter Administrator and provide the password for the local Administrator account.
- Restart the Veeam Backup Service service.
- Sign in to the Veeam Backup & Replication Console using the local Administrator account.
- Open the Users and Roles Security panel.
- Remove Users associated with the old Veeam Backup Server or domain that the machine previously connected to.
- Add accounts as needed and assign their role.
Remember to assign at least one account the role of Veeam Backup Administrator. - Enable MFA.
Note: Each added account must perform the initial MFA setup steps on the next login. - Return Veeam Backup Service service's Log On As setting to "Local System account," and restart the service.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.