12 Replies Latest reply on Mar 24, 2014 5:28 PM by Bill Robinson

    Login Not Allowed for User

    Naveen Anne

      I am trying to import a into the BSA app server which is on the same version.

      It is showing the following error: "Login Not Allowed for User"

      User is mapped to the agent via Automation Principal and I confirmed that the ID mapped in the AP is included in the "Logon as a Batch Job" security policy.

      I am unable to read the rscd.log using bllogman which throws the same error in the nsh window.

      What needs to be set here? Am I missing some configuration?

        • 1. Re: Login Not Allowed for User
          Siddu angadi

          What are you trying to import?




          • 2. Re: Login Not Allowed for User
            Naveen Anne

            Sorry. My bad.

            I am trying to import an agent.

            • 3. Re: Login Not Allowed for User
              Siddu angadi

              Hi Naveen,


              With What user you are tryign to import agent? Does that user has correct mapping on agent?


              can you please also attach rscd.log file here?




              • 4. Re: Re: Login Not Allowed for User
                Naveen Anne

                See the rscd log file attached.

                The main message I see are the following two lines:


                08b9783d988dd6921de2 0000000033 07/11/13 09:55:16.171 ERROR    rscd -  RLM-BCCWDVAPP01 3460 SYSTEM (Not_available): (Not_available): User Impersonation Failed ; Error Location: RSCD_WinUser::initFromUsernameDomainW:LookupAccountNameW ; Error Message: No mapping between account names and security IDs was done. ; Auxiliary Error Message: Account: RLM-BCCWDVAPP01\BLADmin


                b8b0f555494f8e9e0371 0000000034 07/11/13 09:55:16.186 WARN     rscd - 3460 SYSTEM (BLAdmins:BLAdmin): CM: Impersonation failed




                BLAdmin is mapped to an AP which is a domain user and is part of the local administrator group on target. It currently works on other servers.

                • 5. Re: Login Not Allowed for User
                  Siddu angadi

                  Hi naveen,


                  Follow the below steps and try to import. Sometimes, even if domain user is part of Administrator group, still you need add user into "log on as batch job" explicitly.


                  1. Type in secpol.msc /s
                  2. Select " Local Policies" in MSC snap in
                  3. Select the "user Rights Assignment"
                  4. Right Click on "Log on as batch job" and select the properties
                  5. Click " Add user and Group" and include the relevent user (based on your log user is: RLM-BCCWDVAPP01\BLADmin)
                  6. Try importing the server again




                  • 6. Re: Re: Login Not Allowed for User
                    Naveen Anne

                    My domain user name is SYSDEV\BLADmin.

                    SYSDEV is the domain and BLADmin is the user name. This is already added in GPO policy for "Logon as a batch job"

                    In the log file, i see that it is trying to map the RLM-BCCWDVAPP01\BLADmin.

                    RLM-BCCWDVAPP01 is the host name. So, it is changing the domain SYSDEV to host name before impersonating.

                    This doesn't make any sense.

                    • 7. Re: Re: Login Not Allowed for User
                      Siddu angadi

                      Then check your Automation Principal setting.  Is it correctly mapping with domain?




                      • 8. Re: Login Not Allowed for User
                        Bill Robinson

                        if the agent is not registered w/ the appserver yet, you need to have the UPM mapping work until the appserver can identify the target os, then the AP will be used.  otherwise it has no idea if it's unix or windows.

                        • 9. Re: Re: Login Not Allowed for User
                          Klaus Hahn



                          im currently having the same error Messages:


                          1. Login not allowed for user

                          2. impersonation failed

                          3. Impersonation Failed ; Error  Location: WinAgent.cpp::impersonate_lsa ; Error Message: The operation completed successfully. ; Auxiliary Error Message: windows user privilege mapping disable


                          The scenario is the following:


                          I have two bladelogic environments and im trying to access the RSCD Agent on a Windows Server Domain Controller from both Environments.

                          Ive disabled the local user mapping because it is a Windows DC with the chapw -d command.
                          From the first Environment the access is working perfectly.


                          From the second Environment with the same Settings and properties (automation principal etc.) I get these error messages from above..


                          Im happy to hear any ideas about solving the problem.


                          kind regards,


                          • 10. Re: Re: Login Not Allowed for User
                            Bill Robinson

                            when you communicate w/ the 2nd env, are you going through a nsh proxy ?  and the AP that you 'map' to in the 2nd env, that is setup correctly ?

                            • 11. Re: Re: Login Not Allowed for User
                              Klaus Hahn

                              Hi Bill,

                              thanks for your fast reply.


                              I can say Yes to both of your questions.


                              Just some minutes ago we found a solution how we can contact the agent from the second environment successfully.


                              We enabled privilege mapping (chapw -e) from the first environment again on the target agent. Once connected from the second environment we can disable the mapping again and the connection is still possible from both environments.

                              Never had that experience that just adding a reg key with running chapw can cause such a behaviour.


                              Thanks and regards,


                              • 12. Re: Re: Login Not Allowed for User
                                Bill Robinson

                                i'm not sure what you mean - it seems that you had UPM disabled and one of the environments was not talking through a nsh proxy so the AP was not picked up, and in that case nsh would try and use UPM which failed because it was disabled.  if you use chapw to enable or disable UPM that is for the agent, regardless of where the nsh connection comes from.