Getting "Unable to login, Status 503 Invalid Username" when using a non administrator user in the for the Java GUI.

Article:TECH72342  |  Created: 2009-01-14  |  Updated: 2013-04-26  |  Article URL http://www.symantec.com/docs/TECH72342
Article Type
Technical Solution

Product(s)

Environment

Issue



Getting "Unable to login, Status 503 Invalid Username" when using a non administrator user in the for the Java GUI.


Error



Unable to login, Status 503 Invalid Username

Status Code: 503


Cause



The NetBackup Java Console uses the Microsoft API named "LogonUser" which uses a logon operation called LOGON32_LOGON_INTERACTIVE.  

Because of this, user id's must have OS level permissions to Logon Interactively.

If Logon Interactively permissions do not exist, a Security Event Log "Failure Audit" message will be recorded (assuming the Local Security Setting "Audit Login Events" is configured to audit Failures)

Example:
 

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff 
Event ID: 534
Date: 2/27/2012
Time: 1:33:01 PM
User: NT AUTHORITY\SYSTEM
Computer: 2003-X86
Description:
Logon Failure:
  Reason: The user has not been granted the requested
  logon type at this machine
  User Name: duser
  Domain: VLAB1
  Logon Type: 2
 
"Logon Type: 2" is "Interactive".  Reference MS Article 17423 - support.microsoft.com/kb/174073

 


Solution



When you are trying to login with a local user (NOT a domain user), you might see the following error in the <install dir>\veritas\NetBackup\logs\bpjava-msvc.log:

<16> authenticate: LogonUser failed = 1385 = Logon failure: the user has not been granted the requested logon type at this computer.

On the master server itself, the user group that the user is part of is not included in the "Allow log on locally" security policy. Please make sure that the user that you are using to login to the Java GUI, is in a users group that is present in this security policy.

To check which local machine user groups are in this security policy go to:
Local Security Settings -> Local Policies -> User Rights Assignment -> Allow log on locally

If the specific users group is not part of this local security policy please add the user group to the local security policy or add the user to a user group that is part of Allow log on locally policy.
 
"Allow log on locally" is one of several Local Security Policy categories which in combination provide "Logon Interactively" permissions.
For a full list of Security Policy settings which apply to Logon Interactively reference this MS Article: technet.microsoft.com/en-us/library/cc787053(v=ws.10).aspx



Legacy ID



327768


Article URL http://www.symantec.com/docs/TECH72342


Terms of use for this information are found in Legal Notices