Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Scope

  • The Universal Agent for Windows is frequently running in the system account or a service account and will execute jobs within the context and permission of this account.
  • Running a job as a different user includes to login as that user, optionally load the user profile and execute commands in this context.
  • User switching applies to
    • All job types (standalone jobs and job chain jobs)
    • Shell Jobs
    • API jobs in any of the supported languages
    • Pre-processing and post-processing Monitors
  • This article applies to the Universal Agent for Windows only. For Unix environments there is no need for scheduler based user switching as the built-in sudo and su capabilities provide this functionality.
  • Display feature availability
    StartingFromRelease1.11.4
    , see 
    Jira
    serverSOS JIRA
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverId6dc67751-9d67-34cd-985b-194a8cdc9602
    keyJS-861

Introduction

  • For user switching the Agent has to be operated for a user account or service account, not for the system account.
  • The credentials of the target user for which a job should be executed are not stored with JobScheduler configuration data. Instead the account that runs the JobScheduler Windows Service stores credentials with the Windows Credential Manager. When a job should be executed then the JobScheduler Agent reads the credentials from the Windows Credential Manager. Reading credentials that have previously been stored using the same account works without the need to specify a password. Therefore the solution is free from the use of passwords.
  • A login is performed with the target user credentials and the user's environment is active when executing the job.

...

  • Open a Windows console window (cmd.exe) for the JobScheduler Agent account.
  • Use the following commands to add credentials for a target user:

...


Code Block
titleAdding credentials with the cmdkey.exe utility
 # Add credentials for a local user 
cmdkey /generic:run_as_jobuser /user:JOBUSER /pass:PASSWORD 
 
# Add credentials for a domain user 
cmdkey /generic:run_as_jobuser /user:JOBUSER@DOMAIN /pass:PASSWORD 
 
# Show a list of all credentials 
cmdkey /list

 


Permissions

Permissions are required for the JobScheduler Agent account and for the target user of a job.

...

This error message tells you that the credentials key that you added to the job configuration does not match a respective entry with the Crendential Manager. Possible reasons include wrong spelling or the fact that the credentials have not been added by the Agent account but by some different account.

 

Error Code: COM-80020009 (Unsupported character in Windows user name)

Code Block
languagejava
titleCOM-80020009 Unsupported character in Windows user name
COM-80020009 java.lang.IllegalArgumentException: requirement failed: Unsupported character in Windows user name: 'MYDOMAIN\JOBUSER'
  • The account for the target user must be specified by Unicode characters and digits including space, comma_, - and @
  • For domain users specify the   user principal name (UPN) in the format username@DOMAIN

...

Code Block
languagejava
titleGerman
collapsetrue
COM-80020009 java.lang.RuntimeException: Windows command failed: C:\Windows\System32\icacls.exe => JOBUSER: Zuordnungen von Kontennamen und Sicherheitskennungen wurden nicht durchgeführt.

...


A wrong username has been specfied for the target user with the Credential Manager. Check the Credential Manager for use of a valid user name and password.

...

Code Block
languagejava
titleGerman: WINDOWS-1326
collapsetrue
WINDOWS-1326 (LogonUser) Anmeldung fehlgeschlagen: unbekannter Benutzername oder falsches Kennwort.

...


Wrong credentials have been used for the target user. The problem is related to the credentials that have peviously been stored with the Credential Manager.

...

Code Block
languagejava
titleGerman: WINDOWS-1385
collapsetrue
WINDOWS-1385 (LogonUser) Anmeldung fehlgeschlagen: Der Benutzer besitzt nicht den benötigten Anmeldetyp auf diesem Computer.

...


The target user for the job is not assigned the following permissions:

  • Permission: SE_BATCH_LOGON_NAME
    • English: Log on as a batch job
    • German: Anmelden als Stapelverarbeitungsauftrag

...

Code Block
languagejava
titleGerman: WINDOWS-5
collapsetrue
WINDOWS-5 (CreateEnvironmentBlock) Zugriff verweigert

 


  • Such problems can occur if at the time of process start for the target user an interactive Windows application is open for that target user is logged in on the same machine that the Agent is operated for, e.g. when using the runas utility in a console window or when starting a browser for the target userThe user could be logged in for an interactive session or as a Windows service.
  • This problem does not occur when a number of parallel jobs for the target user are executed by an Agent.

...

Code Block
languagejava
titleGerman: WINDOWS-1314
WINDOWS-1314 (LoadUserProfile) Dem Client fehlt ein erforderliches Recht.

...


The Agent account is not assigned one or more of the following permissions: 

  • Permission: SE_BACKUP_NAME

    • English: Back up files and directories
    • German: Sichern von Dateien und Verzeichnissen
  • Permission: SE_RESTORE_NAME

    • English: Restore files and directories
    • German: Wiederherstellen von Dateien und Verzeichnissen

Error Code: WINDOWS-5 (LoadUserProfile)

Code Block
languagejava
titleEnglish: WINDOWS-5
WINDOWS-5 (LoadUserProfile) Access is denied
Code Block
languagejava
titleGerman: WINDOWS-5
collapsetrue
WINDOWS-5 (LoadUserProfile) Zugriff verweigert
 


Common causes for this error include:

  • The job  is configured to load the target user profile but the Agent account is not assigned the Administrator role. 

  • This role is required for the Agent acount if the target user profile should be loaded.

...

Code Block
languagejava
titlejobscheduler_agent_<port>.log (Access is denied)
[info] SCHEDULER-726 Task runs on remote scheduler http://localhost:<port>
[info] SCHEDULER-918 state=starting (at=2017-08-02 15:00:47.803+0200)
[info] [stderr] log4j:ERROR setFile(null,true) call failed.
[info] [stderr] java.io.FileNotFoundException: <agent_data>\logs\jobscheduler_agent_<port>.log (Access is denied)
[info] [stderr] at java.io.FileOutputStream.open0(Native Method)
[info] [stderr] at java.io.FileOutputStream.open(Unknown Source)
[info] [stderr] at java.io.FileOutputStream.<init>(Unknown Source)
[info] [stderr] at java.io.FileOutputStream.<init>(Unknown Source)
[info] [stderr] at org.apache.log4j.FileAppender.setFile(FileAppender.java:294)
[info] [stderr] at org.apache.log4j.FileAppender.activateOptions(FileAppender.java:165)
[info] [stderr] at org.apache.log4j.DailyRollingFileAppender.activateOptions(DailyRollingFileAppender.java:223)
[info] [stderr] at org.apache.log4j.config.PropertySetter.activate(PropertySetter.java:307)
[info] [stderr] at org.apache.log4j.xml.DOMConfigurator.parseAppender(DOMConfigurator.java:295)
[info] [stderr] at org.apache.log4j.xml.DOMConfigurator.findAppenderByName(DOMConfigurator.java:176)
[info] [stderr] at org.apache.log4j.xml.DOMConfigurator.findAppenderByReference(DOMConfigurator.java:191)
[info] [stderr] at org.apache.log4j.xml.DOMConfigurator.parseChildrenOfLoggerElement(DOMConfigurator.java:523)
[info] [stderr] at org.apache.log4j.xml.DOMConfigurator.parseCategory(DOMConfigurator.java:436)
[info] [stderr] at org.apache.log4j.xml.DOMConfigurator.parse(DOMConfigurator.java:1004)
[info] [stderr] at org.apache.log4j.xml.DOMConfigurator.doConfigure(DOMConfigurator.java:872)
[info] [stderr] at org.apache.log4j.xml.DOMConfigurator.doConfigure(DOMConfigurator.java:778)
[info] [stderr] at org.apache.log4j.helpers.OptionConverter.selectAndConfigure(OptionConverter.java:483)
[info] [stderr] at org.apache.log4j.LogManager.<clinit>(LogManager.java:127)
[info] [stderr] at org.slf4j.impl.Log4jLoggerFactory.getLogger(Log4jLoggerFactory.java:64)
[info] [stderr] at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:285)
[info] [stderr] at com.sos.scheduler.engine.common.scalautil.Logger$.apply(Logger.scala:104)
[info] [stderr] at com.sos.scheduler.engine.taskserver.TaskServerMain$.<init>(TaskServerMain.scala:22)
[info] [stderr] at com.sos.scheduler.engine.taskserver.TaskServerMain$.<clinit>(TaskServerMain.scala)
[info] [stderr] at com.sos.scheduler.engine.taskserver.TaskServerMain.main(TaskServerMain.scala)
[info] [stderr] log4j:ERROR Either File or DatePattern options are not set for appender [file].

 


Common causes for this error include that the Agent account is not assigned read/write permissions for the file jobscheduler_agent_<port>.log.

This problem might occur after switching the account of the Agent Windows Service. To remedy this situation add read/write permissions to the Agent account and target user.