...
- Open the Credential Manager GUI from the JobScheduler Agent account.
- English: Control Panel -> Credential Manager
- German: Systemsteuerung -> Anmeldeinformationsverwaltung
- Select the Credential Type
Windows Authentication->Generic- Add a generic credential information for a target user with the following input fields:
Intenet or network address- For use with JobScheduler this field holds the "target name" of the credentials.
- You are free to use any characters to specify a unique identifier for the credentials.
User name- The account for the target user can be specified by Unicode characters and digits including space, comma, _, -, \ and @
- For domain users specify the user principal name (UPN) in the format
username@DOMAIN- The format
DOMAIN\usernameis not supported
- The format
Password
- Your input screen should look like this:
- Add a generic credential information for a target user with the following input fields:
Manage credentials with the Command Line Interface
...
Use the following commands to add credentials for a target user:
Code Block language bash title Adding credentials with the cmdkey.exe utility # Add credentials for a local user cmdkey /generic:run_as_jobuser /user:jobuser /pass:password # Add credentials for a domain user cmdkey /generic:run_as_jobuser /user:jobuser@DOMAIN /pass:password # Show all credentials cmdkey /list
Permissions
...
- To manage permissions switch to
- English:
Control panel -> Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment - German:
Systemsteuerung -> Verwaltung -> Lokale Sicherheitsrichlinie -> Lokale Richtlinien -> Zuweisen von Benutzerrechten
- English:
- RightThen right-click a the permission and use the
Properties -> Add user or groupaction .
...
- to add the respective Agent account or target user as explained for the below permissions.
- Just in case that you want to dig into details find references about the constants that are used for privileges from the following links:
...
Permissions for the Agent Account
Apply the following permissions for the account that the Agent is running for:
- Permission:
SE_ASSIGNPRIMARYTOKEN_NAME- English
: Replace a process-level token - German:
Ersetzen eines Tokens auf Prozessebene
- English
- Permission:
SE_INCREASE_QUOTA_NAME- English
: Adjust memory quotas for a process - German:
Anpassen von Speicherkontingenten für einen Prozess
- English
...
If the profile of the target user should be loaded then the Agent account requires the Administrator role, see LoadUserProfile, and the following permissions:
- Permission:
SE_BACKUP_NAME- English:
Back up files and directories - German:
Sichern von Dateien und Verzeichnissen
- English:
- Permission:
SE_RESTORE_NAME- English:
Restore files and directories - German:
Wiederherstellen von Dateien und Verzeichnissen
- English:
...
Permissions for Target User
Assign the following permissions for the target user of the job:
- Permission:
SE_BATCH_LOGON_NAME- English:
Log on as a batch job - German:
Anmelden als Stapelverarbeitungsauftrag
- English:
Error Messages
This chapter is intended to explain common error messages and pitfalls.
- Find a complete reference from System Error Codes
Credential Manager
Error Code: WINDOWS-1168
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
Windows Credential Manager does not return an entry named 'MyCredentialsKey': WINDOWS-1168 (CredRead) Element not found. |
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
Windows Credential Manager does not return an entry named 'MyCredentialsKey': WINDOWS-1168 (CredRead) Element nicht gefunden. |
icacls
A wrong name has been used for the user account with the Credential Manager. You can use the runas command line utility to check valid user names.
This error message tells you that the credentials key that you added to the job configuration does not match to a respective entry with the Crendential Manager. Possible reasons include wrong spelling or the fact that the credentials have not been added by the Agent account but some different account.
Icacls
Error Code: COM-80020009
| Code Block | ||||
|---|---|---|---|---|
| ||||
COM-80020009 java.lang.RuntimeException: Windows command failed: C:\Windows\System32\icacls.exe => JOBUSER: No mapping between account names and security IDs was done. |
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
COM-80020009 java.lang.RuntimeException: Windows command failed: C:\Windows\System32\icacls.exe => JOBUSER: Zuordnungen von Kontennamen und Sicherheitskennungen wurden nicht durchgeführt. |
A wrong username has been specfied for the target user with the Credential Manager. You can use the runas command line utility to check valid usernames.
LogonUser
Error Code: WINDOWS-1326
| Code Block | ||||
|---|---|---|---|---|
| ||||
WINDOWS-1326 (LogonUser) Logon failure: The user name or password is incorrect. |
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
WINDOWS-1326 (LogonUser) Anmeldung fehlgeschlagen: unbekannter Benutzername oder falsches Kennwort. |
Job-User Credentials im Creadentials Store sind falsch.
Eigentlich es kann nur das Kennwort falsch sein, weil im Schritt davor (icacls) der Benutzername bereits akzeptiert wurde (icacls wirft eine Exception, wenn der Benutzername nicht bekannt ist).
Oder man verwendet bei einem Domain Benutzer die falsche Syntax DOMAIN\username statt username@DOMAIN - icacls kann mit DOMAIN\username umgehen, JobScheduler LogonUsernicht (nur username@DOMAIN).
Prüfen z.B. mit runas oder CMD als dieser Benutzer ausführen
| Code Block | ||||
|---|---|---|---|---|
| ||||
WINDOWS-1326 (LogonUser) Logon failure: The user name or password is incorrect. |
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
WINDOWS-1326 (LogonUser) Anmeldung fehlgeschlagen: unbekannter Benutzername oder falsches Kennwort. |
WINDOWS-1385
DemJob-User fehlt das Recht Log on as a batch job (Anmelden als Stapelverarbeitungsauftrag)Error Code: WINDOWS-1385
| Code Block | ||||
|---|---|---|---|---|
| ||||
WINDOWS-1385 (LogonUser) Logon failure: the user has not been granted the requested logon type at this computer. |
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
WINDOWS-1385 (LogonUser) Anmeldung fehlgeschlagen: Der Benutzer besitzt nicht den benötigten Anmeldetyp auf diesem Computer. |
- English:
Log on as a batch job - German:
Anmelden als Stapelverarbeitungsauftrag
LoadUserProfile
Error Code: WINDOWS-1314
...
Dem Agent-User fehlen folgende Rechte:
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
WINDOWS-1314 (LoadUserProfile) A required privilege is not held by the client. |
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
WINDOWS-1314 (LoadUserProfile) Dem Client fehlt ein erforderliches Recht. |
The Agent account are not assigned the following permissions:
- Permission:
x- English:
Back up files and directories - German:
Sichern von Dateien und Verzeichnissen
- English:
- Permission:
xx- English:
Restore files and directories - German:
Wiederherstellen von Dateien und Verzeichnissen
- English:
WINDOWS-5
Agent-User ist kein Administrator
| Code Block | ||||
|---|---|---|---|---|
| ||||
WINDOWS-5 (LoadUserProfile) Access is denied |
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
WINDOWS-5 (LoadUserProfile) Zugriff verweigert |
...