6.2.19 Changing the settings for logon retries when a job is executed

In JP1/AJS3, a job^# might be executed with a user account that is different from the account used to start the JP1/AJS3 service. When a job is executed with a different user account, user information called an access token must be acquired. An access token includes the information about the security group to which the user belongs and permission information, and is acquired by using a Win32 API function. In JP1/AJS3, if the function has temporarily failed, logon is not possible, and the status of the job becomes Failed to start (Abnormal end). For example, if the domain controller on the authentication server has stopped because of a shutdown or for another reason, the job is unable to start because the domain cannot be authenticated.

Retrying the function at regular intervals prevents temporary errors of this type, and reduces the frequency at which factors causing job abnormal termination occur.

#:: Refers to PC jobs, action jobs, custom jobs, queue jobs executed on the Windows version of JP1/AJS3, and submit jobs executed by the jpqjobsub command.

The following describes how to specify the setting. Note that the setting must be specified on the host on which the job will be executed.

Organization of this subsection

(1) Definition procedure
(2) Environment setting parameters
(3) Notes

(1) Definition procedure

In Windows Control Panel, open the Services administrative tool, and stop the following service:
- JP1/AJS3 service
Cautionary note:

In a cluster system, check the cluster settings, and also stop the JP1/AJS3 service on each logical host.
Execute the following command to set the environment setting parameters described in (2) below:
```
jajs_config -k definition-key "parameter-name"=value
```
Restart the services that you stopped in step 1.

The new settings are applied.

To Page Top

(2) Environment setting parameters

Table 6‒32: Environment setting parameters used to retry acquisition of an access token when a job is executed
Definition key	Environment setting parameter	Explanation
`[{JP1_DEFAULT\|logical-host}\JP1NBQAGENT\Network]`^#	`"LogonUserRetryCount"=`	This parameter applies when Standard is specified for Exec. Service of the job. The parameter specifies the maximum number of times acquisition of an access token is retried.
`[{JP1_DEFAULT\|logical-host}\JP1NBQAGENT\Network]`^#	`"LogonUserRetryInterval"=`	This parameter applies when Queueless Agent is specified for Exec. Service of the job. The parameter specifies the interval at which acquisition of an access token is retried.

#:: The specification of the {JP1_DEFAULT|logical-host} part depends on whether the host is a physical host or a logical host. For a physical host, specify JP1_DEFAULT. For a logical host, specify the logical host name.

For details about the definition of these environment setting parameters, see the following:

2.3.2(70) LogonUserRetryCount in the Job Management Partner 1/Automatic Job Management System 3 Configuration Guide 2
2.3.2(71) LogonUserRetryInterval in the Job Management Partner 1/Automatic Job Management System 3 Configuration Guide 2

To Page Top

(3) Notes

The logon retry function described above is based on only the number of retry attempts and interval, and is therefore not a complete preventive measure. For example, the time required to switch the domain controller might be longer than the time calculated by multiplying the number of retries by the retry interval.
If the password of the OS user who attempts to execute the job is invalid, the account might be locked, depending on the OS security policy settings.

Note that if the account of a user has been locked, the user cannot execute any jobs.
The logon retries described above are also performed if a logon attempt fails for the reasons listed below. That is, a job might take a long time until it actually ends. Similarly, a job being forced to terminate might take a long time until it actually ends.
- No domain controller on any authentication server is running when an attempt is made to execute a job.
- An attempt is made to execute a job by a user whose password is invalid.
- An attempt is made to execute a job by an unregistered user.
- An attempt is made to execute a job by a user whose account is locked.
- An attempt is made to execute a job by a user whose account is no longer valid.

To Page Top