# SSPI authentication failed for user ## Challenge When the Veeam Backup & Replication Configuration Database is using PostgreSQL, direct interaction with the database may fail with the error: ``` SSPI authentication failed for user ``` Interactions where this may occur include:

- Installing an update to Veeam Backup & Replication. Related: [KB4543:"Failed to connect to the database." Updater Configuration Check](https://www.veeam.com/kb4543) - Performing a [configuration restore](https://helpcenter.veeam.com/docs/backup/vsphere/vbr_config_restore.html). - Attempting to interact directly with the database (e.g., using pgAdmin or pgsql commands).

## Cause This error occurs when the account being used to perform the interaction is not authorized to access the Veeam Backup & Replication configuration database within the PostgreSQL instance. When PostgreSQL is deployed by the Veeam Backup & Replication installer, that PostgreSQL database engine is configured to use [SSPI Authentication](https://www.postgresql.org/docs/current/sspi-auth.html), which allows for access authentication using Windows accounts. The pg\_ident.conf file, which maps Windows accounts to the postgres root user account, is updated to add Windows accounts that should have access to the configuration database. By default, the following Windows accounts are added as authorized to access the database directly:

- The Windows account that was used during the initial install. - The NT AUTHORITY\\SYSTEM account, which is the default account used by the Veeam Backup & Replication services.

Hostname Change Impact

If Veeam Backup & Replication was deployed using a local administrator account, and the hostname was changed after the software was installed, the entry for that local account within the pg_ident.conf file will be invalid.

## Solution #### **Option 1:** Use an Existing Authorized Windows Account Identify which accounts are currently authorized to access the Veeam Backup & Replication configuration database, and perform the action as that user.

1. Open the following file in a text editor: ``` C:\Program Files\PostgreSQL\15\data\pg_ident.conf ``` 2. At the bottom of the file, you will find at least two uncommented lines with a format similar to this example\*: ``` veeam User@Domain postgres ``` *_{\*If the PostgreSQL instance was created by the Veeam Backup & Replication installer. If the PGSQL Instance was user-created, the mapname and pg-username may be different.}* 3. Use the non-SYSTEM account to perform the action that initially failed with the SSPI error.

```bash # Put your actual configuration here # ---------------------------------- # MAPNAME SYSTEM-USERNAME PG-USERNAME veeam Backupsvc@DOMAIN postgres veeam "SYSTEM@NT AUTHORITY" postgres ```

*Example pg\_ident.conf File*

#### **Option 2:** Add a Windows Account to The Authorized Users Lists

Security Considerations

For day-to-day tasks involving Veeam Backup & Replication, a user does **not** need direct access to the Configuration Database. Therefore, from a security standpoint, it may be best to only add accounts to the pg_ident.conf file when absolutely necessary. (Consider assigning a single account as the account that will be used for performing Veeam Backup & Replication updates or Configuration Restores.)

##### **Identify Which Account Was in Use When the SSPI Error Occurred** *These steps assume the SSPI error has recently occurred and is still in the latest log folder.*

1. Navigate to the PostgreSQL log folder. The default PostgreSQL 15 path: **C:\\Program Files\\PostgreSQL\\15\\data\\log** 2. Sort the folder contents by last modified, and open the latest log file. 3. Scroll to the end of the log file and begin scrolling up. Look for entries like this: ``` LOG: no match in usermap "veeam" for user "postgres" authenticated as "pgadmin@VBR12" FATAL: SSPI authentication failed for user "postgres" ``` 4. Take note of the account indicated in the error. (In the example above, the account *pgadmin@VBR12* is listed at the very end of line 1.)

##### **Add Windows Account to pg\_ident.conf**

5. Open the mappings file in a text editor: ``` C:\Program Files\PostgreSQL\15\data\pg_ident.conf ``` 6. Add a new line at the bottom of the file in the following format: *^{Replacing pgadmin@VBR12 with the account you identified in your logs on Step 4.}* ``` veeam pgadmin@VBR12 postgres ``` [https://www.veeam.com/kb4542](https://www.veeam.com/kb4542)