Skip to main content

SSPI authentication failed for user

Challenge

When the Veeam Backup & Replication Configuration Database is using PostgreSQL, direct interaction with the database may fail with the error:

SSPI authentication failed for user

Interactions where this may occur include:

Cause

This error occurs when the account being used to perform the interaction is not authorized to access the Veeam Backup & Replication configuration database within the PostgreSQL instance.

When PostgreSQL is deployed by the Veeam Backup & Replication installer, that PostgreSQL database engine is configured to use SSPI Authentication, which allows for access authentication using Windows accounts. The pg_ident.conf  file, which maps Windows accounts to the postgres root user account, is updated to add Windows accounts that should have access to the configuration database.

By default, the following Windows accounts are added as authorized to access the database directly:

  • The Windows account that was used during the initial install.
  • The NT AUTHORITY\SYSTEM account, which is the default account used by the Veeam Backup & Replication services.

Hostname Change Impact
If Veeam Backup & Replication was deployed using a local administrator account, and the hostname was changed after the software was installed, the entry for that local account within the pg_ident.conf file will be invalid.

Solution

Option 1: Use an Existing Authorized Windows Account

Identify which accounts are currently authorized to access the Veeam Backup & Replication configuration database, and perform the action as that user.

  1. Open the following file in a text editor: 
    C:\Program Files\PostgreSQL\15\data\pg_ident.conf
  2. At the bottom of the file, you will find at least two uncommented lines with a format similar to this example*: 
    veeam   User@Domain   postgres
    *If the PostgreSQL instance was created by the Veeam Backup & Replication installer. If the PGSQL Instance was user-created, the mapname and pg-username may be different.
  3. Use the non-SYSTEM account to perform the action that initially failed with the SSPI error.
# Put your actual configuration here
# ----------------------------------
# MAPNAME       SYSTEM-USERNAME         PG-USERNAME
veeam   Backupsvc@DOMAIN   postgres
veeam   "SYSTEM@NT AUTHORITY"   postgres
Example pg_ident.conf File

Option 2: Add a Windows Account to The Authorized Users Lists



Security Considerations
For day-to-day tasks involving Veeam Backup & Replication, a user does not need direct access to the Configuration Database. Therefore, from a security standpoint, it may be best to only add accounts to the pg_ident.conf file when absolutely necessary. (Consider assigning a single account as the account that will be used for performing Veeam Backup & Replication updates or Configuration Restores.) 

Identify Which Account Was in Use When the SSPI Error Occurred

These steps assume the SSPI error has recently occurred and is still in the latest log folder.

  1. Navigate to the PostgreSQL log folder.
    The default PostgreSQL 15 path: C:\Program Files\PostgreSQL\15\data\log
  2. Sort the folder contents by last modified, and open the latest log file.
  3. Scroll to the end of the log file and begin scrolling up. Look for entries like this: 
    LOG:  no match in usermap "veeam" for user "postgres" authenticated as "pgadmin@VBR12"
FATAL:  SSPI authentication failed for user "postgres"
  4. Take note of the account indicated in the error.
    (In the example above, the account pgadmin@VBR12 is listed at the very end of line 1.)

Add Windows Account to pg_ident.conf
  1. Open the mappings file in a text editor: 
    C:\Program Files\PostgreSQL\15\data\pg_ident.conf
  2. Add a new line at the bottom of the file in the following format:
    Replacing pgadmin@VBR12 with the account you identified in your logs on Step 4.
    veeam   pgadmin@VBR12   postgres

    https://www.veeam.com/kb4542

Back to top