Introduction

• The JS7 Agent for Windows is frequently run in the system account or in a service account and will execute jobs within the context and permissions of this account.
• Running a job as a different user involves loging in as that user, optionally loading the user profile and executing commands in this context.
• User switching applies to Shell Jobs.
• This article applies to the JS7 Agent for Windows only. For Unix environments there is no need for Agent based user switching as the built-in sudo and su capabilities provide this functionality.

Basics

• For user switching, the JS7 Agent has to be operated using a user account or a service account, not the system account.
• The credentials of the target user for which a job should be executed are not stored with job configuration. Instead the account that runs the JS7 Agent Windows Service stores credentials with the Windows Credential Manager. When a job should be executed then the JS7 Agent reads the credentials from the Windows Credential Manager. Reading credentials that have previously been stored using the same account works without needing to specify a password. Therefore the solution is free from the use of passwords.
• A login is performed with the target user credentials and the user's environment is active when executing the job.

Setting the Agent User Account

The user account which is used by a JS7 Agent can be set during the JS7 - Agent Installation On Premises. If account is not specified then the Agent will run with the system account.

The Windows Services application shows the account an Agent is running with in the Log On As column.

To change the account right-click the Agent's entry in the Windows Services application and select Properties. Then select the Log On tab and This Account and enter the account name and password.

Credential Manager

There are several ways to access the Windows Credential Manager:

• Graphical User Interface  
• Command Line Interface: cmdkey
• API: the API is used by the JS7 Agent

Manage credentials with the Graphical User Interface

• Log on to the operating system with the Agent's account.
• Open the Credential Manager GUI:
  • English: Control Panel -> Credential Manager
  • German: Systemsteuerung -> Anmeldeinformationsverwaltung
• Select the Credential Type Windows Authentication -> Generic
  
  • Add generic credential information for a target user with the following input fields: 
    • Internet or network address
      • This field holds the "target name" of the credentials. 
      • Specify a unique identifier for the credentials.
    • User name
      • The account for the target user can be specified by Unicode characters and digits including space, comma,  _, - and @
      • For domain users specify the  user principal name  (UPN) in the format username@DOMAIN
        • The format DOMAIN\username is not supported
    • Password
  • Your input screen should look like this:
    
    

Manage credentials with the Command Line Interface

• Open a Windows console window (cmd.exe) for the JS7 Agent account.
• Use the following commands to add credentials for a target user:

 # Add credentials for a local user 
cmdkey /generic:run_as_jobuser /user:JOBUSER /pass:PASSWORD 
 
# Add credentials for a domain user 
cmdkey /generic:run_as_jobuser /user:JOBUSER@DOMAIN /pass:PASSWORD 
 
# Show a list of all credentials 
cmdkey /list

Permissions

Permissions are required for the JS7 Agent account and for the target user of a job.

• To manage permissions switch to:
  • English: Control panel -> Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment
  • German: Systemsteuerung -> Verwaltung -> Lokale Sicherheitsrichlinie -> Lokale Richtlinien -> Zuweisen von Benutzerrechten
• Just in case you want to dig into the details, the following references describe the constants that are used for privileges:
  • Privilege Constants
  • Account Rights Constants
  • User Rights Assignment

Permissions for the Agent Account

Hint:

To add a permission, right-click the permission and use the Properties -> Add user or group action in the User Rights Assignment (German: Zuweisen von Benutzerrechten) application opened above.

General Permissions

Apply the following permissions for the account that the Agent should use:

• Permission: SE_ASSIGNPRIMARYTOKEN_NAME (SeAssignPrimaryTokenPrivilege)
  
  • English: Replace a process-level token
  • German: Ersetzen eines Tokens auf Prozessebene
  • French: Remplacer un jeton de niveau processus
  • Japanese: プロセス レベル トークンを置き換え
• Permission: SE_INCREASE_QUOTA_NAME (SeIncreaseQuotaPrivilege)
  
  • English: Adjust memory quotas for a process
  • German: Anpassen von Speicherkontingenten für einen Prozess
  • French: Ajuster les quotas de mémoire pour un processus
  • Japanese: プロセスのメモリ クォータの増加

Load target user profile

If the profile of the target user should be loaded then the Agent account requires the Administrator role, see LoadUserProfile, and the following permissions:

• Permission: SE_BACKUP_NAME (SeBackupPrivilege)
  
  • English: Back up files and directories 
  • German: Sichern von Dateien und Verzeichnissen
  • French: Sauvegarder des fichiers et des répertoires
  • Japanese: ファイルとディレクトリのバックアップ
• Permission: SE_RESTORE_NAME (SeRestorePrivilege)
  
  • English: Restore files and directories
  • German: Wiederherstellen von Dateien und Verzeichnissen
  • French: Restaurer des fichiers et des répertoires
  • Japanese: ファイルとディレクトリの復元

Hint:

Right-click the permission and use the Properties -> Add user or group action to add the respective Agent account as explained above.

Important:

Restart the JS7 Agent Windows Service in order to apply changes to roles and permissions.

Permissions for the Target User

Assign the following permissions for the target user of the job:

• Permission: SE_BATCH_LOGON_NAME (SeBatchLogonRight)
  
  • English: Log on as a batch job

  • German: Anmelden als Stapelverarbeitungsauftrag
  • French: Ouvrir une session en tant que tâche
  • Japanese: バッチ ジョブとしてログオン

Hint:

Right-click the permission and use the Properties -> Add user or group action to add the respective target user as explained above.

Job Configuration

Jobs that should be executed for a target user have to be assigned the credentials key that has previously been stored with the Credential Manager for the Agent account. A resulting job could look like this:

Note the input field Credential Key and the checkbox Load User Profile.

Error Messages

This section is intended to explain common error messages and pitfalls. Find a complete reference from System Error Codes.

Errors when using credentials

Error Code: WINDOWS-1168 (CredRead)

Windows Credential Manager does not return an entry named 'MyCredentialsKey': WINDOWS-1168 (CredRead) Element not found.

Windows Credential Manager does not return an entry named 'MyCredentialsKey': WINDOWS-1168 (CredRead) Element nicht gefunden.

COM-80020009 java.lang.IllegalArgumentException: requirement failed: Unsupported character in Windows user name: 'MYDOMAIN\JOBUSER'

Errors when setting file permissions

Error Code: COM-80020009 (icacls.exe)

COM-80020009 java.lang.RuntimeException: Windows command failed: C:\Windows\System32\icacls.exe => JOBUSER: No mapping between account names and security IDs was done.

COM-80020009 java.lang.RuntimeException: Windows command failed: C:\Windows\System32\icacls.exe => JOBUSER: Zuordnungen von Kontennamen und Sicherheitskennungen wurden nicht durchgeführt.

Errors when performing a logon for a target user

Error Code: WINDOWS-1326 (LogonUser)

WINDOWS-1326 (LogonUser) Logon failure: The user name or password is incorrect.

WINDOWS-1326 (LogonUser) Anmeldung fehlgeschlagen: unbekannter Benutzername oder falsches Kennwort.

Wrong credentials have been used for the target user. The problem is related to the credentials that have previously been stored with the Credential Manager.

Frequently a wrong password has been used. This is implied by the fact that in the preceding step the call to Icalcs to set permissions for log files had worked for that target user, otherwise an exception would have been raised.

Check the Credential Manager for a valid user name and password.

Error Code: WINDOWS-1385 (LogonUser)

WINDOWS-1385 (LogonUser) Logon failure: the user has not been granted the requested logon type at this computer.

WINDOWS-1385 (LogonUser) Anmeldung fehlgeschlagen: Der Benutzer besitzt nicht den benötigten Anmeldetyp auf diesem Computer.

Errors when creating user environment

Error Code: WINDOWS-5 (CreateEnvironmentBlock)

WINDOWS-5 (CreateEnvironmentBlock) Access is denied

WINDOWS-5 (CreateEnvironmentBlock) Zugriff verweigert

• Such problems can occur if, at the time of the process start for the target user, the user is logged in on the same machine that the Agent is operated for, The user could be logged in for an interactive session or as a Windows service.
• This problem does not occur when a number of parallel jobs for the target user are executed by an Agent.

Errors when loading a user profile

Error Code: WINDOWS-1314 (LoadUserProfile)

WINDOWS-1314 (LoadUserProfile) A required privilege is not held by the client.

WINDOWS-1314 (LoadUserProfile) Dem Client fehlt ein erforderliches Recht.

WINDOWS-5 (LoadUserProfile) Access is denied

WINDOWS-5 (LoadUserProfile) Zugriff verweigert

Errors related to logs

Error Message: Access is denied

[info] [stderr] log4j:ERROR setFile(null,true) call failed.
[info] [stderr] java.io.FileNotFoundException: <agent_data>\logs\jobscheduler_agent_<port>.log (Access is denied)
[info] [stderr] at java.io.FileOutputStream.open0(Native Method)
[info] [stderr] at java.io.FileOutputStream.open(Unknown Source)
[info] [stderr] at java.io.FileOutputStream.<init>(Unknown Source)
[info] [stderr] at java.io.FileOutputStream.<init>(Unknown Source)
[info] [stderr] at org.apache.log4j.FileAppender.setFile(FileAppender.java:294)
[info] [stderr] at org.apache.log4j.FileAppender.activateOptions(FileAppender.java:165)
[info] [stderr] at org.apache.log4j.DailyRollingFileAppender.activateOptions(DailyRollingFileAppender.java:223)
[info] [stderr] at org.apache.log4j.config.PropertySetter.activate(PropertySetter.java:307)
[info] [stderr] at org.apache.log4j.xml.DOMConfigurator.parseAppender(DOMConfigurator.java:295)
[info] [stderr] at org.apache.log4j.xml.DOMConfigurator.findAppenderByName(DOMConfigurator.java:176)
[info] [stderr] at org.apache.log4j.xml.DOMConfigurator.findAppenderByReference(DOMConfigurator.java:191)
[info] [stderr] at org.apache.log4j.xml.DOMConfigurator.parseChildrenOfLoggerElement(DOMConfigurator.java:523)
[info] [stderr] at org.apache.log4j.xml.DOMConfigurator.parseCategory(DOMConfigurator.java:436)
[info] [stderr] at org.apache.log4j.xml.DOMConfigurator.parse(DOMConfigurator.java:1004)
[info] [stderr] at org.apache.log4j.xml.DOMConfigurator.doConfigure(DOMConfigurator.java:872)
[info] [stderr] at org.apache.log4j.xml.DOMConfigurator.doConfigure(DOMConfigurator.java:778)
[info] [stderr] at org.apache.log4j.helpers.OptionConverter.selectAndConfigure(OptionConverter.java:483)
[info] [stderr] at org.apache.log4j.LogManager.<clinit>(LogManager.java:127)
[info] [stderr] at org.slf4j.impl.Log4jLoggerFactory.getLogger(Log4jLoggerFactory.java:64)
[info] [stderr] at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:285)
[info] [stderr] at com.sos.scheduler.engine.common.scalautil.Logger$.apply(Logger.scala:104)
[info] [stderr] at com.sos.scheduler.engine.taskserver.TaskServerMain$.<init>(TaskServerMain.scala:22)
[info] [stderr] at com.sos.scheduler.engine.taskserver.TaskServerMain$.<clinit>(TaskServerMain.scala)
[info] [stderr] at com.sos.scheduler.engine.taskserver.TaskServerMain.main(TaskServerMain.scala)
[info] [stderr] log4j:ERROR Either File or DatePattern options are not set for appender [file].

Common causes for this error include that the Agent account has not been assigned read/write permissions for the agent.log file.

This problem might occur after switching the account of the Agent Windows Service. To resolve this problem add read/write permissions to the Agent's account and target user.