Authentication Security Settings

The following section provides guidance to help you address authentication and security-related issues when using Arcserve Backup. Because symptoms of security-related issues vary widely, this section includes possible resolutions only.

Possible Resolutions

The following list of resolutions can help you address security-related issues:

• Ensure that Arcserve Backup has properly authenticated the caroot account. Use the Server Configuration Wizard to perform this authentication. Select the Password for Backup Server Logon and Administration option to set the caroot account and password.
• Ensure that the Arcserve Backup folder is shared with:
• Administrator--Full Control
• Arcserve Backup System Account--Full Control
• Backup Operators--Change and Read
• If you are having general problems understanding what rights your backup account needs to perform storage functions in your environment, consider the following information.
• If you are backing up only your local Arcserve Backup server, the Arcserve Backup System account configured at installation has sufficient rights (Administrator and Backup Operator).
• If you are backing up remote data within your domain (through the Client Agent for Windows or through the network facility of Arcserve Backup), your backup account requires additional rights. The following is a general outline of common permissions necessary for a powerful backup account. You can tailor your backup account to match your needs, and some rights may not be required in your environment.
• Note: Security requirements for storage-related functions are dependent upon the resources accessed. Windows security rules and requirements should be considered at all times.
• The backup account should have the following Group Rights:
• Administrator
• Backup Operator

Note: A user in the Backup Operator Group does not have rights to access the Arcserve Backup database. As a result, member servers are not visible to the user in the Backup Manager.

• Domain Administrator
• The backup account should have the following Advanced Rights:
• Act as part of Operating System
• Log on Locally
• Log on as a service
• When prompted by Arcserve Backup to enter security within a domain, always use domain\username as the context.
• If you have established a connection between two computers with one login/password session, Session Credential Conflicts can occur if you attempt to establish a second connection with the same login/password session. Consider any existing sessions you may have and how these may affect Arcserve Backup ability to access a resource.
• The security entered in Arcserve Backup jobs is static and does not update dynamically if the Windows security account information changes at the operating system level. If you change the account information packaged in your Arcserve Backup jobs, you must modify the jobs and repackage them with the proper security information.
• You must back up remote Registry and System State information through the Arcserve Backup Client Agent for Windows.
• If you manually stopped and restarted the CA Remote Procedure Call service (CASportmap) without using the cstop and cstart command, the service cannot communicate with its port assignments properly. This can prevent a user account with caroot equivalence from logging in to the Arcserve Backup domain.
• To remedy the inability to log into the Arcserve Backup domain, run the cstop command and then run the cstart command. This enables the service to communicate properly and lets the user account with caroot equivalence log into the Arcserve Backup domain.