JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 1

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version Current

changes.mady.by.user Alan Amos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The JS7 Agent for Windows is frequently running run in the system account or in a service account and will execute jobs within the context and permissions of this account.
  • Running a job as a different user includes to login involves loging in as that user, optionally to load loading the user profile and to execute executing commands in this context.
  • User switching applies to Shell Jobs.
  • This article applies to the JS7 Agent for Windows only. For Unix environments there is no need for Agent based user switching as the built-in sudo and su capabilities provide this functionality.

Basics

  • For user switching, the JS7 Agent has to be operated for using a user account or a service account, not for the system account.
  • The credentials of the target user for which a job should be executed are not stored with job configuration. Instead the account that runs the JS7 Agent Windows Service stores credentials with the Windows Credential Manager. When a job should be executed then the JS7 Agent reads the credentials from the Windows Credential Manager. Reading credentials that have previously been stored using the same account works without the need needing to specify a password. Therefore the solution is free from the use of passwords.
  • A login is performed with the target user credentials and the user's environment is active when executing the job.

Setting the Agent User Account

The user account that which is used by a JS7 Agent can be set during the the JS7 - Agent Installation On Premises.  If no If account is not specified then the Agent will run with the system account.

...

Credential Manager

There are several ways how to access the Windows Credential Manager:

...

  • Log on to the operating system with the Agent's account.
  • Open the Credential Manager GUI:
    • English: Control Panel -> Credential Manager
    • German: Systemsteuerung -> Anmeldeinformationsverwaltung
  • Select the Credential Type Windows Authentication -> Generic
    • Add a generic credential information for a target user with the following input fields: 
      • Internet or network address
        • This field holds the "target name" of the credentials. 
        • Specify a unique identifier for the credentials.
      • User name
        • The account for the target user can be specified by Unicode characters and digits including space, comma,  _, - and @
        • For domain users specify the  user principal name  (UPN) in the format username@DOMAIN
          • The format DOMAIN\username is not supported
      • Password
    • Your input screen should look like this:

...

  • To manage permissions switch to to:
    • English: Control panel -> Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment
    • German: Systemsteuerung -> Verwaltung -> Lokale Sicherheitsrichlinie -> Lokale Richtlinien -> Zuweisen von Benutzerrechten
  • Just in case you want to dig into the details, the following references describe the constants that are used for privileges:

...

Jobs that should be executed for a target user have to be assigned the credentials key that has previously been stored with the Credential Manager for the Agent account. A resulting job could look like this:


Consider Note the input field field Credential Key and the checkbox Load User Profile.

...

This error message tells you that the credentials key that you added to the job configuration does not match a respective corresponding entry with the Credential Manager. Possible reasons include wrong spelling or the fact that the credentials have not been added by the Agent account but by some different other account.


Error Code: COM-80020009 (Unsupported character in Windows user name)

Code Block
languagejava
titleCOM-80020009 Unsupported character in Windows user name
COM-80020009 java.lang.IllegalArgumentException: requirement failed: Unsupported character in Windows user name: 'MYDOMAIN\JOBUSER'
  • The account for the target user must be specified by Unicode characters and digits including space, comma_, - and @
  • For domain users specify the user principal name (UPN) in the format username@DOMAIN

...


A wrong user name has been specified for the target user with the Credential Manager. Check the Credential Manager for use of a valid user name and password.

...

Frequently a wrong password has been used. This is suggested from implied by the fact that in the preceding step the call to Icalcs to set permissions for log files did work had worked for that target user, otherwise an exception would have been raised.

Check the Credential Manager for use of a valid user name and password.

...

The target user for the job is has not been assigned the following permissions:

  • Permission: SE_BATCH_LOGON_NAME
    • English: Log on as a batch job
    • German: Anmelden als Stapelverarbeitungsauftrag

...

  • Such problems can occur if, at the time of the process start for the target user that , the user is logged in on the same machine that the Agent is operated for, The user could be logged in for an interactive session or as a Windows service.
  • This problem does not occur when a number of parallel jobs for the target user are executed by an Agent.

...

Code Block
languagejava
titleGerman: WINDOWS-1314
WINDOWS-1314 (LoadUserProfile) Dem Client fehlt ein erforderliches Recht.


The Agent account is has not been assigned one or more of the following permissions: 

  • Permission: SE_BACKUP_NAME

    • English: Back up files and directories
    • German: Sichern von Dateien und Verzeichnissen

  • Permission: SE_RESTORE_NAME

    • English: Restore files and directories
    • German: Wiederherstellen von Dateien und Verzeichnissen

Error Code: WINDOWS-5 (LoadUserProfile)

Code Block
languagejava
titleEnglish: WINDOWS-5
WINDOWS-5 (LoadUserProfile) Access is denied
Code Block
languagejava
titleGerman: WINDOWS-5
collapsetrue
WINDOWS-5 (LoadUserProfile) Zugriff verweigert


Common causes for this error include:

  • The job  is has been configured to load the target user profile but the Agent account is has not been assigned the Administrator role. 

  • This role is required for the Agent account if the target user profile should be loaded.

...

Common causes for this error include that the Agent account is has not been assigned read/write permissions for the agent.log file.

...