Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-14540: "The user has not been granted the requested logon type at this machine" with Centrify Client for Windows

Privileged Access Service ,  

13 May,19 at 09:50 PM

Problem:

A Windows machine is enrolled using the Centrify Client for Windows (ccagent) and the Agent Auth feature is enabled to allow a specific user or role to log in, but login fails with "The user has not been granted the requested logon type at this machine"

In the ccagent logs a successful login is observed:
INFO : 2019/04/19 17:13:43.177860 connection_handler_windows.go:95: [1204] Login success - user cloudadmin@domain.net auth complete

However when looking at the Event Viewer it displays:
Event ID: 4625 in event viewer "The user has not been granted the requested logon type at this machine"


Cause

In some AD or local configurations a group policy may be set to limit who can log on to the machine locally (separate setting controls remote access)
 

Location: Policies->Windows Settings->Security Settings->Local Policies->User Rights Assignment 

Policies: "Allow log on locally" and "Allow log on through Remote Desktop Services"

Default setting usually allows members of Users group to log in. However administrators may choose to remove Users group, allowing only members of Administrators to log in, or to restrict the access to a particular user.


Resolution:

To allow cloud users to log in through the ccagent, a local user is created on the system. If local group mapping is set, user is added to the list of local groups. Default groups are Users and Remote Desktop Users. Thus if no local group mapping was specified, and members of Users local group are not allowed local log on, cloud user won't be able to log in.

Recommendation for customers with such restriction is to create a local group for cloud users, and set the policy to allow local log in for members of this group. Once this set, local group mapping should be configured to map cloud users to this local group.

A similar solution would be to set local group mapping to add cloud users to local Administrators group, but this should only be applied to cloud users who require elevated privileges on the system.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.