Jump to content


Photo
- - - - -

Bus & Tasks / Service logon under diffent account


17 replies to this topic

#1 Sean Graves

Sean Graves

    Member

  • Members
  • PipPip
  • 13 posts
  • Gender:Male
  • Location:United Kingdom

Posted 19 September 2006 - 11:02 AM

Hi guys,

I have a Windows 2000 machine where we have had to log the ProIV Service on as a different account due to there being more than one version of Oracle Client installed.

I created an Account called ServiceProIV and made it a member of "administrators".
I set the local policy to state it can logon locally and logon as a service.
This allowed me to set to the local environment for it to use the right Oracle Client.
This all works fine and connects to the environment all succesfully.

I now created a local user account eg BaTClient with a password and made it a member of "Users".

When I try and do a bus and task connection and found that the BaTClient System Username and System Password is being being told it is invalid.

Yet I can log onto the machine succesfully.

If I switch the service account back to use the LocalSystem and try the B&T again it now states it is valid.

So the question is what else is needed to allow the Service to authenticate the userid when the service is logged on as something other than LocalSystem?

Thanks for any help
Sean

#2 Guest_Guest_*

Guest_Guest_*
  • Guests

Posted 21 September 2006 - 01:42 PM

Come on you two - you have to help others out.

You two ONLY ask questions and NEVER provide answers.

Tis always better to give than receive.

#3 Steve Kiernan

Steve Kiernan

    Advanced

  • Members
  • PipPipPip
  • 87 posts
  • Gender:Male
  • Location:United Kingdom
  • Interests:writing wonderful, professional, windows compliant systems in PROIV. Or not.

Posted 22 September 2006 - 08:04 AM

Come on you two - you have to help others out.

You two ONLY ask questions and NEVER provide answers.

Tis always better to give than receive.

Don't understand this unhelpful reply. What are you referring to? You're not even brave enough to identify yourself coward!

#4 Rob_Stebbens

Rob_Stebbens

    Member

  • Members
  • PipPip
  • 30 posts
  • Gender:Male

Posted 22 September 2006 - 08:56 AM

Come on you two - you have to help others out.

You two ONLY ask questions and NEVER provide answers.

Tis always better to give than receive.

Don't understand this unhelpful reply. What are you referring to? You're not even brave enough to identify yourself coward!

Steve,
I think our guest might be refering to the "alleged" high ratio of questions to answers being posted by yourselves at PDS. In fact asking this question only increases that assumed ratio. :x:

#5 Steve Kiernan

Steve Kiernan

    Advanced

  • Members
  • PipPipPip
  • 87 posts
  • Gender:Male
  • Location:United Kingdom
  • Interests:writing wonderful, professional, windows compliant systems in PROIV. Or not.

Posted 22 September 2006 - 09:11 AM

Somebody call a nurse - my sides have just split.

We ask questions when we want to, and we answer questions when we can.

I wasn't aware anything we did was illegal. Now where's that smiley with a raised middle finger?

#6 Rob Donovan

Rob Donovan

    rob@proivrc.com

  • Admin
  • 1,640 posts
  • Gender:Male
  • Location:Spain

Posted 22 September 2006 - 09:23 AM

Hi,

There is no requirement for anyone to answer any questions on this forum.

You ask what you want, and answer what you want......

Rob.

#7 Steve Kiernan

Steve Kiernan

    Advanced

  • Members
  • PipPipPip
  • 87 posts
  • Gender:Male
  • Location:United Kingdom
  • Interests:writing wonderful, professional, windows compliant systems in PROIV. Or not.

Posted 22 September 2006 - 09:38 AM

Hi guys,

I have a Windows 2000 machine where we have had to log the ProIV Service on as a different account due to there being more than one version of Oracle Client installed.

I created an Account called ServiceProIV and made it a member of "administrators".
I set the local policy to state it can logon locally and logon as a service.
This allowed me to set to the local environment for it to use the right Oracle Client.
This all works fine and connects to the environment all succesfully.

I now created a local user account eg BaTClient with a password and made it a member of "Users".

When I try and do a bus and task connection and found that the BaTClient System Username and System Password is being being told it is invalid.

Yet I can log onto the machine succesfully.

If I switch the service account back to use the LocalSystem and try the B&T again it now states it is valid.

So the question is what else is needed to allow the Service to authenticate the userid when the service is logged on as something other than LocalSystem?

Thanks for any help
Sean

So, back to the original question, is there anybody out there who can help - any help is very much appreciated.

#8 Fred Marker

Fred Marker

    Advanced

  • Members
  • PipPipPip
  • 82 posts
  • Gender:Male
  • Location:Columbus, Ohio, United States

Posted 22 September 2006 - 11:47 AM

Hi guys,

I have a Windows 2000 machine where we have had to log the ProIV Service on as a different account due to there being more than one version of Oracle Client installed.

I created an Account called ServiceProIV and made it a member of "administrators".
I set the local policy to state it can logon locally and logon as a service.
This allowed me to set to the local environment for it to use the right Oracle Client.
This all works fine and connects to the environment all succesfully.

I now created a local user account eg BaTClient with a password and made it a member of "Users".

When I try and do a bus and task connection and found that the BaTClient System Username and System Password is being being told it is invalid.

Yet I can log onto the machine succesfully.

If I switch the service account back to use the LocalSystem and try the B&T again it now states it is valid.

So the question is what else is needed to allow the Service to authenticate the userid when the service is logged on as something other than LocalSystem?

Thanks for any help
Sean

We don't use B&T so I am not familiar with its precise requirements.

However, it may be helpful to know some additional information.

What version of ProIV kernel?
What version of ProIV client?
Which user account installed the ProIV kernel?
Which user account installed the ProIV client?

There are settings in the Kernel's pro4.ini which requires that the ProIV user (in the PIV) match a local user account on the server: Such as the following:

[ENVIRONMENT]
USERNAME_VALIDATE=Y
USER_DOMAIN=
LOGONTYPE=INTERACTIVE

Can you provide any additional details of the local accounts, proiv user and exact "invalid" messages?

#9 Guest_Guest_*

Guest_Guest_*
  • Guests

Posted 22 September 2006 - 10:03 PM

My apologies for causing upset, I should have made the statement more light hearted, because that was certainly my intention. Not to cause offence.

As for revealing myself, I will..........




My name is Gary Uest

#10 Guest_Guest_*

Guest_Guest_*
  • Guests

Posted 23 September 2006 - 07:27 AM

Somebody call a nurse - my sides have just split.

We ask questions when we want to, and we answer questions when we can.

I wasn't aware anything we did was illegal. Now where's that smiley with a raised middle finger?

Found it

Posted Image

;)

#11 Guest_Guest_*

Guest_Guest_*
  • Guests

Posted 24 September 2006 - 07:04 PM

That's all very helpful Gary - now go and play in the road.

#12 sean.graves

sean.graves

    Member

  • Members
  • PipPip
  • 15 posts
  • Gender:Male

Posted 25 September 2006 - 09:55 AM

Hi Fred,

Thanks for any help you can give me :-)
Here are my extra details that I forgot to include on the original post.

What version of ProIV kernel?
ProIV 5.5 r345

What version of ProIV client?
MFC Build 524

Which user account installed the ProIV kernel?
ServiceProIV

Which user account installed the ProIV client?
ServiceProIV

There are settings in the Kernel's pro4.ini which requires that the ProIV user (in the PIV) match a local user account on the server: Such as the following:

We have not set any of the following environment keywords as we use the default
[ENVIRONMENT]
USERNAME_VALIDATE=Y
USER_DOMAIN=
LOGONTYPE=INTERACTIVE


Can you provide any additional details of the local accounts, proiv user and exact "invalid" messages?


Local User Account called "ServiceProIV" ( used for the service ).
ServiceProIV is a member of "Administrators" ( have also tried with all security added Power users, users etc ).


Local User Account called "BaTClient" ( used for bus and task authentication ).
BaTClient is a member of "Users".


We install our software and proiv into a folder structure like so
\\Pro50


The entire base folderfolder has the following security added
Administrators Full Access
ServiceProiv Full Access
BaTClient Full Access

The Pro50 folder has one extra security of SYSTEM
Administrators Full Access
ServiceProiv Full Access
BaTClient Full Access
SYSTEM Read & Execute, List Folder COntents & Read


Error from ProIV Bus and Task API
Procedure happens during the call to p4OpenPro4
StatusCode=30
FailReason=97
SubError=97

I have ran a full trace all and noticed in the log

2f0:GetProIVProfileString: [Environment] USERNAME_VALIDATE = '' -- not found
2f0:getprofile: 'USERNAME_VALIDATE', returning '< null >'
2f0:GetProIVProfileString: [Environment] USER_DOMAIN = '' -- not found
2f0:getprofile: 'USER_DOMAIN', returning '< null >'
2f0:GetProIVProfileString: [Environment] LOGONTYPE = '' -- not found
2f0:getprofile: 'LOGONTYPE', returning '< null >'
2f0:doValidateLoginInfo: 2f0:doValidateLoginInfo: >LogonUser 'BaTClient', Domain='', LogonType=2 failed:
A required privilege is not held by the client. (0x522)
2f0:doValidateLoginInfo: error:


Incorrect username or password:

A required privilege is not held by the client. (0x522)


2f0:p4bdNewSession: System username/password incorrect:
2f0:


Incorrect username or password:

A required privilege is not held by the client. (0x522)

I have attached the log in full incase there is anything someone can spot.

What "privilege" is required and which user?
I assume this is refering to the account that the proiv service is logged into?

Now if I tell the services the Pro32srv service to logon as LocalSystem all works fine.
So there must be a trick I am missing when setting the proiv service to logon as a different user.

Thanks again for any help.

Sean

Attached Files



#13 Guest_Guest_*

Guest_Guest_*
  • Guests

Posted 25 September 2006 - 11:14 AM

That's all very helpful Gary - now go and play in the road.

Will do.


Just need a hand getting ya mom off me, boy she's heavy.

#14 Fred Marker

Fred Marker

    Advanced

  • Members
  • PipPipPip
  • 82 posts
  • Gender:Male
  • Location:Columbus, Ohio, United States

Posted 25 September 2006 - 12:02 PM

Sean,

Try explicitly setting:
[ENVIRONMENT]
USERNAME_VALIDATE=N.

Does your pro4.ini on the server have a section named [USER BaTClient]?

Fred

#15 Guest_Guest_*

Guest_Guest_*
  • Guests

Posted 25 September 2006 - 04:13 PM

Fred,

The local username BaTClient is the system username & password you have to give the ProIV API for authentication, not the ProIV Environment.
We use the environment ENVBATCLIENT which is defined in the [Environment Names] section.

We disable the starting of a client with our connection to the proivapi.

Our bus and task makes the connection as follows:

Machine=myserver
Port=0
Secure=0
Environment=ENVBATCLIENT
SystemUserId=BaTClient
SystemPassword=bat
OperatorId=TSK
OperatorPassword=SYS
CompanyDivision=PDS

As my connection works whilst it is a LocalSystem account there must be an extra privalige required for my ServiceProIV user to let ProIV authenticate usernames on Windows NT?



Reply to this topic



  


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users