We moved our license from from WS 2003 to 2012 R2. We're on VC 7.1.6.

Before under WS 2003 we would use credentials to logon and unlock for teh task. Now, it fails to connect to credential provider.

So, we disabled all credentials and kept the server logged in. Also, removed credentials from mapped network drives.

Now, the first task of some jobs just fail with a 267: "The directory name is invalid” exit code. The directory is there. If you open VC you can run the job no problem just when it's scheduled that it's having issues.

Any ideas?

Did you reboot the server after installing on 2012. It needs a reboot to install the Credential provider which is very different from 2003.

---

Did you reboot the server after installing on 2012. It needs a reboot to install the Credential provider which is very different from 2003.

Yes. It's a new server and after VC credentials did not work restarted server again.

We even tried this as it says for WS 2008:

Administrative tools
Local Security Policy
Security Settings
Local Policies
Interactive logon: Do not require CTRL+ALT+DEL
Change to Enabled

That setting also require a reboot.

I am not sure how it is related (why you removed the Credentials). I suggest the following:

1. reboot again
2. create new Credential
3. create a simple foreground task that runs notepad.exe (you need to use Execute Task with full path to it).

---

That setting also require a reboot.

I am not sure how it is related (why you removed the Credentials). I suggest the following:

1. reboot again
2. create new Credential
3. create a simple foreground task that runs notepad.exe (you need to use Execute Task with full path to it).

Thanks. I'll try that at end of day.

After server restart and removing all credentials and network drives in VC we recreated them. Same issue in that for the foreground task it will connect to credentials provider!

After server restart and removing all credentials and network drives in VC we recreated them. Same issue in that for the foreground task it will connect to credentials provider!

Which version are you running?
Please look at the first lines in server_startup.txt. There should be related information about the Credential provider there. Please post the related line(s).

---

C:\Program Files (x86)\VisualCron\log
C:\Program Files\VisualCron\log

There's a server_startup.txt file and also various log_serveryyyymmdd.txt files in both locations.

5/13/2014 5:56:00 PM Debug Credential provider->Prepare interaction
5/13/2014 5:56:00 PM Debug Is Vista or higher: True
5/13/2014 5:56:01 PM Debug Assembly loaded: System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
5/13/2014 5:56:01 PM Debug Credential provider->Credential provider was already installed.
5/13/2014 5:56:01 PM Debug Credential provider->Credential provider test ok.
5/13/2014 5:56:01 PM Debug Prepare XML writer settings
5/13/2014 5:56:01 PM Debug 7Zip library path: C:\Program Files (x86)\VisualCron\7z64.dll
5/13/2014 5:56:02 PM Debug Current user: REL\vcron
5/13/2014 5:56:02 PM Debug Create directories
5/13/2014 5:56:02 PM Debug Output folder: C:\Documents and Settings\All Users\Application Data\VisualCron\output
5/13/2014 5:56:02 PM Debug Startup function called
5/13/2014 5:56:02 PM Info OS version: WindowsServer2012Standard
5/13/2014 5:56:02 PM Info VisualCron - Server: 7.1.6 - build: 18676 - protocol: 7.0.0
5/13/2014 5:56:02 PM Info Cleaning up local database according to cleanup rules
5/13/2014 5:56:03 PM Debug Startup path: C:\Program Files (x86)\VisualCron
5/13/2014 5:56:03 PM Debug Loading license file
5/13/2014 5:56:03 PM Debug Assembly loaded: Microsoft.GeneratedCode, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
5/13/2014 5:56:03 PM Debug License file was successfully loaded
5/13/2014 5:56:04 PM Debug Saving license file
5/13/2014 5:56:04 PM Debug License file was saved successfully
5/13/2014 5:56:04 PM Debug Successful verification of Activation code
5/13/2014 5:56:04 PM Info License status: Activated

So, it seems to be installed properly. I would recommend turning on extended debugging in server settings. Try to run the Task again and then send us log_serverDATE.txt to support@visualcron.com

Let us know the Job and Task name.

---

I'm not understanding what tasks/interactions you have configured.. I assume this is a new server, new install of VisualCron, and entirely new tasks/credentials/etc.. or did you do a backup on your 2003 server and import the settings on the 2012 server?

Not sure what sort of testing environment Henrik/etc.. have, but I have 2012 R2 and can test if it's explained what exactly you're trying to do... so i can see if i can reproduce it.

Brian

So, it seems to be installed properly. I would recommend turning on extended debugging in server settings. Try to run the Task again and then send us log_serverDATE.txt to support@visualcron.com

Let us know the Job and Task name.

Emailed you the server log with extended debugging. Task is test at the end run at around 3:30pm.

I'm not understanding what tasks/interactions you have configured.. I assume this is a new server, new install of VisualCron, and entirely new tasks/credentials/etc.. or did you do a backup on your 2003 server and import the settings on the 2012 server?

Not sure what sort of testing environment Henrik/etc.. have, but I have 2012 R2 and can test if it's explained what exactly you're trying to do... so i can see if i can reproduce it.

Brian

What are your Interactive Logon settings under Local Security Policy > Local Policies > Security Options?

We are getting the Desktop Unlock/Logon failed - Failed to connect to Credential Provider.

Henrik mentioned that this "prevents you from running the Task in foreground mode. Please check documentation about enabling CTRL+ALT+DEL and reboot the server."

We had tried both enabled and disabled for "Interactive logon: Do not require CTRL+ALT+DEL".

What are your Interactive Logon settings under Local Security Policy > Local Policies > Security Options?

We are getting the Desktop Unlock/Logon failed - Failed to connect to Credential Provider.

Henrik mentioned that this "prevents you from running the Task in foreground mode. Please check documentation about enabling CTRL+ALT+DEL and reboot the server."

We had tried both enabled and disabled for "Interactive logon: Do not require CTRL+ALT+DEL".

We have the "Interactive logon: Do not require CTRL+ALT+DEL" set to disabled.
We also have the "Interactive logon: Require Domain Controller authentication to unlock workstation" disabled.

BUT, I guess what I still don't see in your reply is... What exactly are you trying to do that isn't working? Lets say I just installed VisualCron and have only the 2 default Jobs, no credentials, and the service is running as 'Local System'.

What do I need to configure to try what you're trying? I've got several 2012 Systems I can test with. Workgroup systems, Domain joined systems, etc..

Brian

We run the tasks in foreground execution using the local Visualcron Server and it's set to execute on any desktop session. On the old server we had it Logon/Unlock using Credential before execution and it worked fine. On the new server it's failing to connect to the Credential Provider. We also use network drives mappings.

I was able to successfully get this to work by doing nothing more than 'enabling' the "Interactive logon: Do not require CTRL+ALT+DEL"

When I tried a simple Execute task, with the option to use Any desktop, using a credential that has the 'local login' and 'load user profile' checkboxes enabled, it worked.

Prior to changing our group policy for my machine, I was getting the same error as you.

If I change it back, so the CTRL+ALT+DEL is required again, it fails.

Brian

I was able to successfully get this to work by doing nothing more than 'enabling' the "Interactive logon: Do not require CTRL+ALT+DEL"

When I tried a simple Execute task, with the option to use Any desktop, using a credential that has the 'local login' and 'load user profile' checkboxes enabled, it worked.

Prior to changing our group policy for my machine, I was getting the same error as you.

If I change it back, so the CTRL+ALT+DEL is required again, it fails.

Brian

Did you have to restart the server after changing the "Interactive logon: Do not require CTRL+ALT+DEL" setting?

Without a restart right now I have the same issue as before no matter if I enable or disable that setting.

Here's a full list of the Local Policies > Security Options:

Policy Security Setting
Accounts: Administrator account status Enabled
Accounts: Block Microsoft accounts Not Defined
Accounts: Guest account status Disabled
Accounts: Limit local account use of blank passwords to console logon only Enabled
Accounts: Rename administrator account Administrator
Accounts: Rename guest account Guest
Audit: Audit the access of global system objects Disabled
Audit: Audit the use of Backup and Restore privilege Disabled
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Not Defined
Audit: Shut down system immediately if unable to log security audits Disabled
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax Not Defined
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax Not Defined
Devices: Allow undock without having to log on Enabled
Devices: Allowed to format and eject removable media Not Defined
Devices: Prevent users from installing printer drivers Enabled
Devices: Restrict CD-ROM access to locally logged-on user only Not Defined
Devices: Restrict floppy access to locally logged-on user only Not Defined
Domain controller: Allow server operators to schedule tasks Not Defined
Domain controller: LDAP server signing requirements None
Domain controller: Refuse machine account password changes Not Defined
Domain member: Digitally encrypt or sign secure channel data (always) Enabled
Domain member: Digitally encrypt secure channel data (when possible) Enabled
Domain member: Digitally sign secure channel data (when possible) Enabled
Domain member: Disable machine account password changes Disabled
Domain member: Maximum machine account password age 30 days
Domain member: Require strong (Windows 2000 or later) session key Enabled
Interactive logon: Display user information when the session is locked Not Defined
Interactive logon: Do not display last user name Disabled
Interactive logon: Do not require CTRL+ALT+DEL Enabled
Interactive logon: Machine account lockout threshold Not Defined
Interactive logon: Machine inactivity limit Not Defined
Interactive logon: Message text for users attempting to log on Not Defined
Interactive logon: Message title for users attempting to log on Not Defined
Interactive logon: Number of previous logons to cache (in case domain controller is not available) 10 logons
Interactive logon: Prompt user to change password before expiration 5 days
Interactive logon: Require Domain Controller authentication to unlock workstation Disabled
Interactive logon: Require smart card Disabled
Interactive logon: Smart card removal behavior No Action
Microsoft network client: Digitally sign communications (always) Disabled
Microsoft network client: Digitally sign communications (if server agrees) Enabled
Microsoft network client: Send unencrypted password to third-party SMB servers Disabled
Microsoft network server: Amount of idle time required before suspending session 15 minutes
Microsoft network server: Attempt S4U2Self to obtain claim information Not Defined
Microsoft network server: Digitally sign communications (always) Enabled
Microsoft network server: Digitally sign communications (if client agrees) Enabled
Microsoft network server: Disconnect clients when logon hours expire Enabled
Microsoft network server: Server SPN target name validation level Not Defined
Network access: Allow anonymous SID/Name translation Disabled
Network access: Do not allow anonymous enumeration of SAM accounts Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares Disabled
Network access: Do not allow storage of passwords and credentials for network authentication Disabled
Network access: Let Everyone permissions apply to anonymous users Disabled
Network access: Named Pipes that can be accessed anonymously ,netlogon,samr,lsarpc
Network access: Remotely accessible registry paths System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion
Network access: Remotely accessible registry paths and sub-paths System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog
Network access: Restrict anonymous access to Named Pipes and Shares Enabled
Network access: Shares that can be accessed anonymously Not Defined
Network access: Sharing and security model for local accounts Classic - local users authenticate as themselves
Network security: Allow Local System to use computer identity for NTLM Not Defined
Network security: Allow LocalSystem NULL session fallback Not Defined
Network security: Allow PKU2U authentication requests to this computer to use online identities.

Not Defined
Network security: Configure encryption types allowed for Kerberos Not Defined
Network security: Do not store LAN Manager hash value on next password change Enabled
Network security: Force logoff when logon hours expire Disabled
Network security: LAN Manager authentication level Not Defined
Network security: LDAP client signing requirements Negotiate signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Require 128-bit encryption
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Require 128-bit encryption
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication Not Defined
Network security: Restrict NTLM: Add server exceptions in this domain Not Defined
Network security: Restrict NTLM: Audit Incoming NTLM Traffic Not Defined
Network security: Restrict NTLM: Audit NTLM authentication in this domain Not Defined
Network security: Restrict NTLM: Incoming NTLM traffic Not Defined
Network security: Restrict NTLM: NTLM authentication in this domain Not Defined
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers Not Defined
Recovery console: Allow automatic administrative logon Disabled
Recovery console: Allow floppy copy and access to all drives and all folders Disabled
Shutdown: Allow system to be shut down without having to log on Disabled
Shutdown: Clear virtual memory pagefile Disabled
System cryptography: Force strong key protection for user keys stored on the computer Not Defined
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Disabled
System objects: Require case insensitivity for non-Windows subsystems Enabled
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) Enabled
System settings: Optional subsystems
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies Disabled
User Account Control: Admin Approval Mode for the Built-in Administrator account Disabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop Disabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Elevate without prompting
User Account Control: Behavior of the elevation prompt for standard users Prompt for credentials
User Account Control: Detect application installations and prompt for elevation Enabled
User Account Control: Only elevate executables that are signed and validated Disabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations Enabled
User Account Control: Run all administrators in Admin Approval Mode Enabled
User Account Control: Switch to the secure desktop when prompting for elevation Disabled
User Account Control: Virtualize file and registry write failures to per-user locations Enabled

I can't post our settings, as i'd likely get fired if I missed anything and it contained info I'm not allowed to share... but i'll look over the list and compare with our standard.

That being said...

Are you doing this via Domain group policy or just using the local policy? I tested on my domain-joined system where we have a policy 'disabling' that CTRL+ALT+DEL skipping option (aka.. we require it). So I created a new group policy with that ONE setting in it, setting it to 'Enabled' and applied it to my machine only. I then refreshed group policy:

gpupdate /force

and then checked to see the new policy applied:

gpresult /r /scope:computer

The applied GPO's should contain the one you added (at least the way I did it).
I simply logged off at this point, and the CTRL+ALT+DEL was no longer a requirement. no reboots. I haven't tried on a system that's in a workgroup or otherwise not controlled by Domain Group policy.

Brian

Also,

1. Are you joined to a domain or part of a workgroup
2. Is your VisualCron service running as the default of 'Local System' or do you have it running as a service account (local ID or domain ID with admin privileges).
3. if you check the 'VisualCron' service properties, does the 'Log On' tab have the checkbox for 'Allow service to interact with desktop' box checked... assuming you're using the local system account?

Brian

Also,

1. Are you joined to a domain or part of a workgroup
2. Is your VisualCron service running as the default of 'Local System' or do you have it running as a service account (local ID or domain ID with admin privileges).
3. if you check the 'VisualCron' service properties, does the 'Log On' tab have the checkbox for 'Allow service to interact with desktop' box checked... assuming you're using the local system account?

Brian

Under Windows Server Services it's logging in as a particular account and not Local system account.

Also,

1. Are you joined to a domain or part of a workgroup
2. Is your VisualCron service running as the default of 'Local System' or do you have it running as a service account (local ID or domain ID with admin privileges).
3. if you check the 'VisualCron' service properties, does the 'Log On' tab have the checkbox for 'Allow service to interact with desktop' box checked... assuming you're using the local system account?

Brian

Under Windows Server Services it's logging in as a particular account and not Local system account.

Missing a very important piece to the puzzle. In order for me to test this I need to know the answer to this. If you could, address each question specifically :)

1. Is the VisualCron service running as a local account or a domain account?
2. Is the account running the service part of the local administrators group on the server.
3. Is the credential you're using for unlocking/logging in via the task the same ID as the one used to run visualcron, or is it another user.
4. If question 3 is a 'different' user than #1, is THAT user a local user account or a domain account? AND, is it an administrator on the server also.

Brian

Well, the issue with connection to the Credentials Provider continues. However, we kept the server logged in as Administrator and had the jobs run locally. This worked for the past few weeks.

However, after updating to version 7.1.7 now some jobs run and others don't. For the very first task of a job it comes up with the 267 exit code (The directory name is invalid).

We have a mixture of logical and absolute drive mappings embedded withing the individal tasks/apps. We also have the logical drive mappings included within Server > Network Drives.

Any ideas?

Well, the issue with connection to the Credentials Provider continues. However, we kept the server logged in as Administrator and had the jobs run locally. This worked for the past few weeks.

However, after updating to version 7.1.7 now some jobs run and others don't. For the very first task of a job it comes up with the 267 exit code (The directory name is invalid).

We have a mixture of logical and absolute drive mappings embedded withing the individal tasks/apps. We also have the logical drive mappings included within Server > Network Drives.

Any ideas?

Generally I cannot recommend using logical drives for two reasons:

1. they are not shared between the desktop context of a user and the VisualCron service. Only way is to map it in VisualCron too.
2. they create another layer that makes it more prone to fail. A UNC path will be much better to use in this case.

---

Things worked for that past 5 months until we upgraded to version 7.5. Now, we get the old "267: The directory name is invalid.” error. Nothing was changed except the updated to new version!

If we try credentials we get the “77777 VisualCron specific error” error.

Same NEED for logical drive mappings and still not authenticating credentials.

Things worked for that past 5 months until we upgraded to version 7.5. Now, we get the old "267: The directory name is invalid.” error. Nothing was changed except the updated to new version!

If we try credentials we get the “77777 VisualCron specific error” error.

Same NEED for logical drive mappings and still not authenticating credentials.

It sounds like the drive does not exist in the VC context. Do you see the drive in "Mapped drives" within VisualCron (not outside VC)?

---