Scope
- The Universal Agent is frequently running in the system account or a service account and will execute jobs within the context and permission of this account.
- Running a job as a different user includes to login as that user, optionally load the user profile and execute commands in this context.
- This article applies to the Universal Agent for Windows only. For Unix environments there is no need for scheduler based user switching as the built-in
sudoandsucapabilities provide this functionality.
Introduction
- For user switching the Agent has to be operated for a user account or service account, not for the system account.
- The credentials of the target user for which a job should be executed are not stored with JobScheduler configuration data. Instead the user account that runs the JobScheduler Windows Service stores credentials with the Windows Credential Manager. When a job should be executed then the JobScheduler Agent reads the credentials from the Windows Credential Manager. Reading credentials that have previously been stored using the same account works without the need to specify a password. Therefore the solution is free from use of passwords.
- A login is performed with the target user credentials and the user's environment is active when executing the job.
- User switching applies to
- All job types (standalone jobs and job chain jobs)
- Shell Jobs
- API jobs in any of the supported languages
- Pre-processing and post-processing Monitors
Credential Manager
The Windows Credential Manager is accessible via its
- Graphical User Interface
- Command Line Interface:
cmdkey - API: the API is used by the JobScheduler Agent
Manage credentials with the Graphical User Interface
- Open the Credential Manager GUI from the JobScheduler Agent account.
- English: Control Panel -> Credential Manager
- German: Systemsteuerung -> Anmeldeinformationsverwaltung
- Select the Credential Type
Windows Authentication->Generic- Add a generic credential information for a target user with the following input fields:
Intenet or network address- For use with JobScheduler this field holds the "target name" of the credentials.
- You are free to use any characters to specify a unique identifier for the credentials.
User name- The account for the target user can be specified by Unicode characters and digits including space, comma, _, -, \ and @
- For domain users specify the user principal name (UPN) in the format
username@DOMAIN- The format
DOMAIN\usernameis not supported
- The format
Password
- Add a generic credential information for a target user with the following input fields:
Manage credentials with the Command Line Interface
- Open a Windows console window (
cmd.exe) for the JobScheduler Agent account.
Use the following commands to add credentials for a target user:
# Add credentials for a local user cmdkey /generic:run_as_jobuser /user:jobuser /pass:password # Add credentials for a domain user cmdkey /generic:run_as_jobuser /user:jobuser@DOMAIN /pass:password # Show all credentials cmdkey /list
Permissions
Permissions are required for the JobScheduler Agent account and for the target user of a job.
- To manage permissions switch to
- English:
Control panel -> Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment - German:
Systemsteuerung -> Verwaltung -> Lokale Sicherheitsrichlinie -> Lokale Richtlinien -> Zuweisen von Benutzerrechten
- English:
- Right-click a permission and use the
Properties -> Add user or groupaction.
Permissions for the Agent Account
SE_ASSIGNPRIMARYTOKEN_NAME- English
: Replace a process-level token - German:
Ersetzen eines Tokens auf Prozessebene
- English
SE_INCREASE_QUOTA_NAME- English
: Adjust memory quotas for a process - German:
Anpassen von Speicherkontingenten für einen Prozess
- English
Load target user profile
If the profile of the target user should be loaded then the Agent account requires the Administrator role, see LoadUserProfile, and permissions:
SE_BACKUP_NAME- English:
Back up files and directories - German:
Sichern von Dateien und Verzeichnissen
- English:
SE_RESTORE_NAME- English:
Restore files and directories - German:
Wiederherstellen von Dateien und Verzeichnissen
- English:
Hints
Restart the JobScheduler Agent Windows Service in order to apply changes to roles and permissions.
Permissions for Target User
SE_BATCH_LOGON_NAME- English:
Log on as a batch job - German:
Anmelden als Stapelverarbeitungsauftrag
- English:
Error Messages
Credential Manager
English WINDOWS-1168
Windows Credential Manager does not return an entry named 'MyCredentialsKey': WINDOWS-1168 (CredRead) Element not found.
icacls
English
COM-80020009 java.lang.RuntimeException: Windows command failed: C:\Windows\System32\icacls.exe => JOBUSER: No mapping between account names and security IDs was done.
A wrong name has been used for the user account with the Credential Manager. You can use the runas command line utility to check valid user names.
LogonUser
English WINDOWS-1326
WINDOWS-1326 (LogonUser) Logon failure: The user name or password is incorrect.
Job-User Credentials im Creadentials Store sind falsch.
Eigentlich es kann nur das Kennwort falsch sein, weil im Schritt davor (icacls) der Benutzername bereits akzeptiert wurde (icacls wirft eine Exception, wenn der Benutzername nicht bekannt ist).
Oder man verwendet bei einem Domain Benutzer die falsche Syntax DOMAIN\username statt username@DOMAIN - icacls kann mit DOMAIN\username umgehen, JobScheduler LogonUsernicht (nur username@DOMAIN).
Prüfen z.B. mit runas oder CMD als dieser Benutzer ausführen
English WINDOWS-1385
WINDOWS-1385 (LogonUser) Logon failure: the user has not been granted the requested logon type at this computer.
Dem
Job-User fehlt das Recht Log on as a batch job (Anmelden als Stapelverarbeitungsauftrag)
LoadUserProfile
English WINDOWS-1314
WINDOWS-1314 (LoadUserProfile) A required privilege is not held by the client.
Dem Agent-User fehlen folgende Rechte:
Back up files and directories(Sichern von Dateien und Verzeichnissen)Restore files and directories(Wiederherstellen von Dateien und Verzeichnissen)
English WINDOWS-5
WINDOWS-5 (LoadUserProfile) Access is denied
Agent-User ist kein Administrator
API-Job stderr
jobscheduler_agent_<port>.log (Access is denied)
[info] SCHEDULER-726 Task runs on remote scheduler http://localhost:5445 [info] SCHEDULER-918 state=starting (at=2017-08-02 15:00:47.803+0200) [info] [stderr] log4j:ERROR setFile(null,true) call failed. [info] [stderr] java.io.FileNotFoundException: <agent_data>\logs\jobscheduler_agent_<port>.log (Access is denied) [info] [stderr] at java.io.FileOutputStream.open0(Native Method) [info] [stderr] at java.io.FileOutputStream.open(Unknown Source) [info] [stderr] at java.io.FileOutputStream.<init>(Unknown Source) [info] [stderr] at java.io.FileOutputStream.<init>(Unknown Source) [info] [stderr] at org.apache.log4j.FileAppender.setFile(FileAppender.java:294) [info] [stderr] at org.apache.log4j.FileAppender.activateOptions(FileAppender.java:165) [info] [stderr] at org.apache.log4j.DailyRollingFileAppender.activateOptions(DailyRollingFileAppender.java:223) [info] [stderr] at org.apache.log4j.config.PropertySetter.activate(PropertySetter.java:307) [info] [stderr] at org.apache.log4j.xml.DOMConfigurator.parseAppender(DOMConfigurator.java:295) [info] [stderr] at org.apache.log4j.xml.DOMConfigurator.findAppenderByName(DOMConfigurator.java:176) [info] [stderr] at org.apache.log4j.xml.DOMConfigurator.findAppenderByReference(DOMConfigurator.java:191) [info] [stderr] at org.apache.log4j.xml.DOMConfigurator.parseChildrenOfLoggerElement(DOMConfigurator.java:523) [info] [stderr] at org.apache.log4j.xml.DOMConfigurator.parseCategory(DOMConfigurator.java:436) [info] [stderr] at org.apache.log4j.xml.DOMConfigurator.parse(DOMConfigurator.java:1004) [info] [stderr] at org.apache.log4j.xml.DOMConfigurator.doConfigure(DOMConfigurator.java:872) [info] [stderr] at org.apache.log4j.xml.DOMConfigurator.doConfigure(DOMConfigurator.java:778) [info] [stderr] at org.apache.log4j.helpers.OptionConverter.selectAndConfigure(OptionConverter.java:483) [info] [stderr] at org.apache.log4j.LogManager.<clinit>(LogManager.java:127) [info] [stderr] at org.slf4j.impl.Log4jLoggerFactory.getLogger(Log4jLoggerFactory.java:64) [info] [stderr] at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:285) [info] [stderr] at com.sos.scheduler.engine.common.scalautil.Logger$.apply(Logger.scala:104) [info] [stderr] at com.sos.scheduler.engine.taskserver.TaskServerMain$.<init>(TaskServerMain.scala:22) [info] [stderr] at com.sos.scheduler.engine.taskserver.TaskServerMain$.<clinit>(TaskServerMain.scala) [info] [stderr] at com.sos.scheduler.engine.taskserver.TaskServerMain.main(TaskServerMain.scala) [info] [stderr] log4j:ERROR Either File or DatePattern options are not set for appender [file].
jobscheduler_agent_<port>.log - die Berechtigungen für den Job-User müssen für diese Datei manuell gesetzt werden (Lesen, Schreiben)