A Windows machine is enrolled using the Centrify Client for Windows (ccagent) and the Agent Auth feature is enabled to allow a specific user or role to log in, but login fails with "The user has not been granted the requested logon type at this machine"
In the ccagent logs a successful login is observed:
INFO : 2019/04/19 17:13:43.177860 connection_handler_windows.go:95:  Login success - user firstname.lastname@example.org auth complete
However when looking at the Event Viewer it displays:
Event ID: 4625 in event viewer "The user has not been granted the requested logon type at this machine"
In some AD or local configurations a group policy may be set to limit who can log on to the machine locally (separate setting controls remote access)
Location: Policies->Windows Settings->Security Settings->Local Policies->User Rights Assignment
Policies: "Allow log on locally" and "Allow log on through Remote Desktop Services"
Default setting usually allows members of Users group to log in. However administrators may choose to remove Users group, allowing only members of Administrators to log in, or to restrict the access to a particular user.
To allow cloud users to log in through the ccagent, a local user is created on the system. If local group mapping is set, user is added to the list of local groups. Default groups are Users and Remote Desktop Users. Thus if no local group mapping was specified, and members of Users local group are not allowed local log on, cloud user won't be able to log in.
Recommendation for customers with such restriction is to create a local group for cloud users, and set the policy to allow local log in for members of this group. Once this set, local group mapping should be configured to map cloud users to this local group.
A similar solution would be to set local group mapping to add cloud users to local Administrators group, but this should only be applied to cloud users who require elevated privileges on the system.