TSSA/BSA: No autorization to access host error when verify Windows target - "CM: Failed to change to alternate user"

Version 4
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    BladeLogic Server Automation Suite


    COMPONENT:

    BladeLogic Server Automation


    APPLIES TO:

    All BSA versions



    PROBLEM:

     

    <SCENARIO 1>
    Getting "No authorization to access host" error, when verifying or live browsing a Windows target server on TrueSight Server Automation (TSSA/BSA) console:

    User-added image

    'rscd.log' shows the following messages

      
    02/14/19 11:20:50.389 WARN     rscd -  XX.XX.XX.XX 3336 SYSTEM (BLAdmins:BLAdmin): CM: Failed to change to alternate user 02/14/19 11:21:51.280 ERROR    rscd -  TARGET 2696 SYSTEM (Not_available): (Not_available): authenticate_user failed ; Error Location: RSCD_WinUser::initFromUsernameDomainW:LookupAccountNameW ; Error Message: No mapping between account names and security IDs was done. ; Auxiliary Error Message: Account: DOMAIN\admin ...
       

    <SCENARIO 2>
    No authorization to access host" error on all Windows Server 2003 servers when using Automation Principal Domain Account to login.

    'rscd.log' shows

      
    05f49d3f620b85ba9d35 0000000009 09/19/12 14:51:29.447 ERROR rscd - xxxx 9976 SYSTEM (Not_available): (Not_available): authenticate_user failed ; Error Location: RSCD_WinUser::logonPassword:LsaLogonUser() ; Error Message: Logon failure: the user has not been granted the requested logon type at this computer. ; Auxiliary Error Message: user@domain.com fcab39845310836b091e 0000000010 09/19/12 14:51:29.447 WARN rscd - xxx.xx.xx.xx 9976 SYSTEM (user@domain.com): CM: Failed to change to alternate user ...

     


    CAUSE:

    Automation principal is configured & associated with the role (such as 'BLAdmins') where the principal account does not exist or do not have appropriate privilege. Domain Account being mapped-to may not have the required "Logon as a batch job" privilege.


    SOLUTION:

     

    <SCENARIO 1>
    Check if any automation principal is associated with the role. If yes, make sure that the principal user account (configured for the automation principal) exists on the target server and has appropriate privileges.

    Make sure that the user account is not listed in "Deny Log on as a batch job" local policy.

    If automation principal is not intended, remove the role association from the automation principal.


    <SCENARIO 2>
    Domain Account being mapped-to may not have the required "Logon as a batch job" privilege.

       BSA Documentation

    If you are using an automation principal for Microsoft Windows user mapping, the account you identify in this step must be granted the Windows "Logon as a batch job" privilege on each Windows server. To access this setting, use the Control Panel and go to   Administrative Tools > Local Security Policy > Local Policies > User Rights Assignment. If you are using an automation principal for agent installation, you must grant the "Logon as a batch job" privilege to this account on the PsExec server. 
      

     


    Article Number:

    000060310


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles