Troubleshooting the BladeLogicRSCD user lockout issues
When a BladeLogicRSCD account is locked, User Privilege Mapping (UPM) access fails. The BladeLogicRSCD account is a local Windows service account that the RSCD Agent uses to grant access to the managed Windows servers. For more information, see Impersonation and privilege mapping.
When you attempt to access a managed Windows server with a locked BladeLogicRSCD account, you may see the following error:
Can't access host "<hostname>": Login not allowed for user in a job run log or RCP console message.
On the managed server, the rscd.log file (<RSCD install directory>\rscd.log) might show the following message:
865d94a4ab5624bbf931 0000001331 02/07/21 12:51:23.401 ERROR rscd - WIN19-1 2192 SYSTEM (Not_available): (Not_available): User Impersonation Failed for mapped user BLAdmins:BLAdmin; Error Location: RSCD_WinUser::logonPassword:LsaLogonUser() ; Error Message: The referenced account is currently locked out and may not be logged on to. ; Auxiliary Error Message: BladeLogicRSCD@WIN19-1
- The issue may occur with a single managed Windows server or with multiple servers.
- The affected server may be a Windows Domain Controller or a member server.
For information about other issues that cause the RSCD Agent connectivity failure, see Troubleshooting the RSCD Agent connectivity issues.
Diagnosing and reporting an issue
|1||Understand the problem scope.|
Determine the source of the failed authentication attempts that lead to the account lockout.
Example Windows event log message
An account failed to log on.
Logon Type: 3
Account For Which Logon Failed:
Correlate the failed authentication attempts to an action.
Check what was running on that source server at the time of lockout.
|4||If the source of the failed authentication attempts is the system itself, check whether you can restart the RSCD service without any issue.|
If the account lockout happens upon service restart, then the BladeLogicRSCD password may need to be reset. Follow the steps in referenced KA 000379333.
Determine whether the lockouts are occurring with any frequency.
If the lockout occurs multiple times, determine whether there is a pattern for the lockouts using the Event Log and other information. You can use this information to investigate only those lockouts that are occurring with the same frequency.
Investigate any actions that can cause the lockout.
If a Job ran around the time of the lockout, determine what the job is running. Common causes of the lockout could be:
|7||Identify lockout candidates and test them in isolation.|
If the cause cannot be immediately identified, then set up a time to test run each candidate in isolation when no activity is running on the source and locked system.
Depending on the account lockout threshold defined on the locked system, the candidate action may need to be run multiple times.
|8||Match error messages with those in the "Resolutions for common issues" table.|
Review the information in the "Resolutions for common issues" section to understand the common issues that can result in BladelogicRSCD user account lockout issues along with how they can typically be resolved.
If you are unable to identify and resolve the problem, create a BMC Support Case.
|9||Creating a BMC Support Case|
Provide the following information and log files when creating a case with BMC Customer Support:
Resolutions for common issues
rscd.log of a Member Server displays this error:
Unlock the locked BladeLogicRSCD account.
This action will provide an immediate resolution to the issue, however, until the root case of the lockout is determined, it's likely the lockout might occur again. See referenced KA 000290455.
rscd.log of the domain controller displays the following error:
Failed authentication attempts due to BladeLogicRSCD from the same system and the account locks after starting the RSCD service.
The only supported method to reset the BladeLogicRSCD password is to use the chapw or agentctl passwd commands. Verify whether some other method was used to change the password.
Failed authentication attempts due to BladeLogicRSCD from another system, which causes the account lock on the problem system.
|Installing RSCD agents in a replicated domain controller environment|