If you are using an embedded PostgreSQL database and a Windows user different from the user used for the first installation of Veeam Backup & Replication, you may have an error during the upgrade/update process.
This error occurs when the account being used to perform the interaction is not authorized to access the Veeam Backup & Replication configuration database within the PostgreSQL instance.
During the upgrade phase you have to specify the database connection information:
But you may have an error, like this: SSPI authentication failed for user “VEEAM-SERVER\Root“, where VEEAM-SERVER is the hostname of your Veeam Backup Server and Root is the administrative user that you are using for the upgrade.
The Veeam KB 4542 describe the issue: https://www.veeam.com/kb4542
When PostgreSQL is deployed by the Veeam Backup & Replication installer, that PostgreSQL database engine is configured to use SSPI Authentication, which allows for access authentication using Windows accounts. You can found this configuration in the pg_hba.conf file located in C:\Program Files\PostgreSQL\15\data\ folder.
By default, the following Windows accounts are added as authorized to access the database directly:
- The Windows account that was used during the initial install. You should always use this account during future update/upgrade.
- The NT AUTHORITY\SYSTEM account, which is the default account used by the Veeam Backup & Replication services.
If you need to performa the upgrade process with a different user, you should add this Windows account to the pg_ident.conf file
- Open the mappings file in a text editor: C:\Program Files\PostgreSQL\15\data\pg_ident.conf
- Add a new line at the bottom of the file in the following format:
Replacing Root@VEEAM-SERVER with the account you are using for the update/upgrade
veeam Root@VEEAM-SERVER postgres - Restart PostgreSQL service and continue the Veeam upgrade procedure
The user mapping error shows the username format precisely as PostgreSQL expects it to appear in the pg_ident.conf mapping file.
For day-to-day tasks involving Veeam Backup & Replication, a user does not need direct access to the Configuration Database. Therefore, from a security standpoint, it may be best to only add accounts to the pg_ident.conf file when absolutely necessary (consider assigning a single account as the account that will be used for performing Veeam Backup & Replication updates or Configuration Restores).