Remote jobs on Windows needing "Run As" rights

Hi all-

I've got the 4.0 version of the software installed on my local machine, and I am trying to run a job locally, but using a specific set of credentials. If I run the job locally without specifying a user, the job runs fine (just runs a test app I whipped together). If I specify my login credentials (the machine is in a domain and I am logged on as a domain user), then it fails saying that I need to have "Act as part of the operating system" and "Logon as a batch job" rights. Well, I went to the Local Security Settings app under Admin tools (my account has admin rights on the box) and explicitly gave myself both rights. I also created a local (non-domain) user who is also a local admin with the same rights. I rebooted the machine, logged back in, and get the same error message. I can confirm that both my account and my local account ("scheduler") have both rights set, but neither account will run the job; they both get the same error as before.

Has anyone had a similar problem?

If you are using domain accounts, you should be assigning rights on the domain level because they override local rights. Please use the active directory to give yourself the required permissions.

After changing permissions, don't forget to restart the system or logoff/logon. Windows caches user credentials and the changes don't have immediate effect.

Ah yes, but that's also why I created the local user "scheduler"....it is not a domain user, has the right privileges, but gets the same error as the domain user does.

Can you confirm that UserA, who is running the scheduler, got "Act as part of the operating system" privilege and UserB, who is assigned to the job, got "Logon as a batch job" privilege?

Another way to test it is to logon to the system as UserA; open command prompt; navigate to the 24x7 installation directory, and from there run RunAs.exe UserB [password for UserB] "cmd /C dir > dir.txt" if you get dir.txt as a result, you are ok, otherwise see messages printed to the screen.

RunAs works fine from the command line for both my domain account and the "scheduler" account. I was also able to run the program from both accounts using the Windows scheduled task manager (from the control panel). I asked the sysadmin and he used the domain admin account as logon credentials in the 24x7 Scheduler, and got the same message (privilege not held, etc.). He then tried a backup service account which he knows has domain level admin rights as well as logon as batch job and act as part of the OS and it too failed with exactly the same message as before.

Anything else to try? Presumably you have hundreds of customers doing this...what am I doing wrong here?

24x7 uses RunAs to run external processes for different user accounts. If you enable tracing you can see it in debug.log file. Please verify the correct user/password are passed to the job.

I have tracing enabled but the username and password do not show up in debug.log. I can verify the password is correct and like I said, I am able to run the job using runas from the command line. I have tried logging in as both the "scheduler" account as well as my domain account, and both run the program using runas correctly.

You should be able to see in the log the complete RunAs command. What do you get there?

2007-07-27 12:34:34,674 [Job #13 - nothing on my machine] DEBUG com.softtreetech.jscheduler.business.runner.ProgramJobRunner - runJob(): start

2007-07-27 12:34:34,752 [Job #13 - nothing on my machine] DEBUG com.softtreetech.jscheduler.business.runner.security.SecurityService - authNativeUser: C:\Program Files\24x7_Scheduler\userchk.exe

2007-07-27 12:34:35,111 [Job #13 - nothing on my machine] DEBUG com.softtreetech.jscheduler.business.runner.ProgramJobRunner - execProcess(): command line [c:\temp\nothing\debug\nothing.exe] in work directory [C:\temp\nothing\Debug]

2007-07-27 12:34:35,173 [Job #13 - nothing on my machine] DEBUG com.softtreetech.jscheduler.business.runner.ProgramJobRunner - waitForProcess(): start

2007-07-27 12:34:35,173 [Thread-9] DEBUG com.softtreetech.jscheduler.business.runner.AbstractJobRunner$TimeoutVerifier - run(): start

2007-07-27 12:34:35,173 [Thread-9] DEBUG com.softtreetech.jscheduler.business.runner.AbstractJobRunner$TimeoutVerifier - run(): end due to zero timeout

2007-07-27 12:34:35,376 [Job #13 - nothing on my machine] DEBUG com.softtreetech.jscheduler.business.runner.ProgramJobRunner - runas failed, exitcode: 1385, output: Error #1385: Logon failure: the user has not been granted the requested logon type at this computer.

Note: User account running RunAs must be assigned "Act as part of the operation system" rights. User account used to run the process must be assigned "Logon as a batch job" rights.

Are you trying to run this is a remote job? Why is this running a check for user credentials before even trying to start the process? How is the environment is setup?

This is all running locally on my Windows machine. If I run the job without supplying credentials, it works fine. If I do supply credentials, it gives me the error I've mentioned. I'm doing it locally with credentials because I want to test how it would work in a remote agent configuration. When I tried running just the agent on my machine and running the master on another machine (Linux, Solaris, etc.), I got exactly the same error as I do now. To make it "easier" to troubleshoot, I realized I could supply credentials to the local job and get the exact same result.

I'm concerned that is caused by security settings caching issue. Have you tried restarting your system?

By the way, are you running the scheduler as a Windows service?

Yes, I have restarted the machine twice. I am not running as a service, I am just running the GUI program directly.

Ok. Please try scheduling RunAS [user] [password] "C:\windows\notepad.exe" as a regular job replacing [user] and [password] with the values you used in the other job properties. Please note that if it works, the Notepad will appear in the task list but you won't see it on your screen. Please let us know the result.

Ah, I see something, you have your own version of runas.exe in the 24x7 directory whereas I was using the version that comes with Windows; I became confused because the parameter list you specified doesn't match the version that comes with Windows.

I ran your version of runas from the command line using both accounts and got exactly the same error as before:

C:\Program Files\24x7_Scheduler>runas my_domain\my_username my_password c:\windows\notepad.exe

RunAs version 2.1
Copyright (c) 2003-2006 SoftTree Technologies, Inc.

Logging in as my_domain\my_username...
Setting user environment...
Logged in. Impersonating...
Starting process c:\windows\notepad.exe...
Error #1314: A required privilege is not held by the client.

Note: User account running RunAs must be assigned "Act as part of the operation system" rights. User
account used to run the process must be assigned "Logon as a batch job" rights.

C:\Program Files\24x7_Scheduler>

I was under the impression you were using the Windows version of runas to execute commands. So anyway, it works fine when I run the Windows version, but it doesn't work when I run your version of runas.exe.