Allow Logon Locally Permission

The Allow Logon Locally policy setting determines which users can start an interactive session on the computer. In the case of AppViewX, the windows agent does an interactive session to the target machine to perform the desired operations. Hence this permission is required if the account used is not part of the local administrator group in the Windows Gateway Machine.

For more information on this setting please refer Allow log on locally - security policy setting - Windows 10 | Microsoft Learn

Enabling and Configuring the LogonMode Parameter

From AppViewX version 2024.3.0.0, an additional configuration parameter has been introduced to avoid explicitly providing "Allow Logon Locally" permission. It is enabled through a configuration parameter called LogonMode which can be configured in the AppViewX.CLM.WindowsService.exe.config file.

Follow the steps below if the Allow Logon Locally permission cannot be provided or the Service Account is part of “Deny Logon Locally”.

  1. Go to the AppViewX Windows Gateway Installation Path. The default path is C:\Program Files (x86)\appviewx\AppViewX.CLM.Installer

  2. Open the AppViewX.CLM.WindowsService.exe.config file using a text editor.

  3. Locate the <appSettings> section and set the following entry: <add key="LogonMode" value="Network" />
    Supported values for the LogonMode configuration:
    • Interactive: Uses the Interactive logon mode (Requires Allow Logon Locally Permission)
      While this is the default logon mode on the AppViewX Windows Gateway installation, to set the logon mode to interactive, edit the AppViewX.CLM.WindowsService.exe.config file to add the following:
      <add key="LogonMode" value="Interactive" />
    • Network: Uses the Network logon method, which does not require explicit Allow Logon Locally permission.

      For LogonMode = Network, you can choose the Windows Gateway authentication mechanism to be used, depending on your environment and its security requirements.

      The following authentication mechanisms are supported:
      • LOGON32_LOGON_NETWORK_CLEARTEXT (default)

        While this is the default authentication mechanism, to use this, edit the AppViewX.CLM.WindowsService.exe.config file to add the following:

        <add key="LogonMode" value="Network" />
<add key="NetworkLogonType" value="NETWORK_CLEAR_TEXT" />
      • LOGON32_LOGON_NEW_CREDENTIALS
        To use this authentication mechanism, edit the AppViewX.CLM.WindowsService.exe.config file to add the following:
        <add key="LogonMode" value="Network" />
<add key="NetworkLogonType" value="NEW_CREDENTIALS" />
    Note: If the "LogonMode" parameter is not specified, the system defaults to Interactive logon mode.