Getting "Login not allowed for user ..." error message in various scenarios as below:

SCENARIO #1:
Adding a target server fails with the following error on the console:
Login not allowed for <TSSAUser>

<rscd.log>

 ERROR rscd - TARGET 3324 SYSTEM (Not_available): (Not_available): User Impersonation Failed for mapped user BLAdmins:<TSSAUser>; Error Location: lookup_impersonation_user ; Error Message: The data is invalid. ; Auxiliary Error Message: Domain accounts may not be used for privilege mapping user impersonation. Account: xxxxx@my-domain
...
WARN rscd - <sourceIP> 3952 SYSTEM (BLAdmins:<TSSAUser>): CM: Impersonation failed
...

SCENARIO #2.A:
Connection to the target server fails with the following error on the console/job run logs:
Login not allowed for user

<rscd.log>

 WARN     rscd -  <SourceIP> 11228 SYSTEM (Role:<TSSA_User>): CM: Certificate check failed

0c2365df0e6349adcb03 0000000956 08/27/14 11:14:22.127 DEBUG rscd - TARGET 3920 SYSTEM (Not_available): (Not_available): Before first LookupAccountName in initFromUsernameDomain in RSCD_WinUser.cpp. The domain string is : 'TARGET' ; The username string is : 'BladeLogicRSCD'
a4d0c329a6f4d9ae0e42 0000000957 08/27/14 11:14:22.127 DEBUG rscd - TARGET 3920 SYSTEM (Not_available): (Not_available): In refreshNames() in RSCD_WinUser.cpp. The u_NTDomainUsername string is : 'TARGET\BladeLogicRSCD' ; The u_UPN string is : 'BladeLogicRSCD@TARGET'
e91b7ed605c442019a6c 0000000958 08/27/14 11:14:22.127 DEBUG rscd - TARGET 3920 SYSTEM (Not_available): (Not_available): RSCD_UnprivilegedUser.cpp - found encryption key in registry
4c8c401692855573bbb8 0000000959 08/27/14 11:14:22.127 DEBUG rscd - TARGET 3920 SYSTEM (Not_available): (Not_available): RSCD_UnprivilegedUser.cpp - found encrypted password in registry
6b3e3b6d2e25e9f97161 0000000960 08/27/14 11:14:22.127 DEBUG rscd - TARGET 3920 SYSTEM (Not_available): (Not_available): RSCD_WinUser:logonPassword - user name is 'BladeLogicRSCD'
6ece3610e3430fd91753 0000000961 08/27/14 11:14:22.127 DEBUG rscd - TARGET 3920 SYSTEM (Not_available): (Not_available): RSCD_WinUser:logonPassword - domain name is 'TARGET'
f5ffcca7367bad838b80 0000000962 08/27/14 11:14:22.143 DEBUG rscd - TARGET 3920 SYSTEM (Not_available): (Not_available): RSCD_UnpriviledUser:get_reg_password: wee.GetErrorCode()=775
92f99c19f636561ab60e 0000000963 08/27/14 11:14:22.143 ERROR rscd - TARGET 3920 SYSTEM (Not_available): (Not_available): User Impersonation Failed ; Error Location: RSCD_WinUser::logonPassword:LsaLogonUser() ; Error Message: The referenced account is currently locked out and may not be logged on to. ; Auxiliary Error Message: BladeLogicRSCD@TARGET
6acfb704158b0a4a7df1 0000000964 08/27/14 11:14:22.143 WARN rscd - <SourceIP> 3920 SYSTEM (administrator): agentinfo: Impersonation failed
5b859b014a475d18929e 0000000965 08/27/14 11:14:22.143 DEBUG rscd - <SourceIP> 3920 SYSTEM (administrator): agentinfo: ***** New connection *****
...

Note: Please see the TSSA RSCD Agent Connectivity Troubleshooting Guide for more details on troubleshooting this issue.

SCENARIO #1:
Validate if:
- A domain account is being used in the user configuration files (exports, users.local, users)
As the error suggests, domain account should not be used in any of user configuration files for non-domain controller targets
- The target is not domain controller, modify the mapping entry to use a local admin account instead of a domain account

SCENARIO #2.A:
As per the warning message in the rscd logs of the failed execution "CM: Certificate check failed", the appserver to agent communication is being established over the client certs
Validate if:
- On the application servers, there is a id.pem file created under directory - rsc\certs\SYSTEM
- On the target server, the secure file has the below entry in the 'rscd' line:

tls_mode=encryption_and_auth

- The cert is pushed from the application server to the target server as per:
Windows:- TLS with client-side certs - Securing a Windows Application Server
Linux:- TLS with client-side certs - Securing a UNIX Application Server

SCENARIO #2.B:
As per the error message in the rscd logs, the BladeLogicRSCD account gets locked.
Lockout of 'BladeLogicRSCD' local account can occur while running a deploy job against the server, when the server has a share on it, that is being accessed by another server in the network
This is a non-conventional way of creating shares and is a windows behavior that causes the servers to access the network shares (happens outside the TSSA job as well).
For customers using this method, the work around to avoid the local account lockout issue is as follows:
1. Rename agent user name to something different than BladelogicRSCD on the servers where lockout is seen.
or
2. Change the password on all windows hosts for BladelogicRSCD user to be the same. Can be achieved using chapw command

SCENARIO #3
The error suggests that the user account used for agent mapping does not exist or is invalid.
- Thus check the mapping entry in the user configuration files ('exports', 'users.local', 'users') on the target under 'rsc' folder to find the name of user account and confirm that it exists with appropriate permission (member of Administrator group in case of Windows or 'root' in case of Linux)
- If the target is behind SOCKS proxy, check the connectivity from the SOCKS server to the target agent port and validate the target user configuration file, which would be the most common cause of the error.
- It would be helpful to install NSH on the SOCKS proxy server for troubleshooting so that you can test with 'agentinfo' command.


NOTE:
- Refer to the following RSCD Agent Connectivity Troubleshooting Guide to find more details on troubleshooting the issue
- There may be various possibilities that can cause 'BladeLogicRSCD' account to get locked out, which often comes down to syncing or OS level policy issue
- Also check the target windows event log to find more clues on the lockout issue
For more details of BladeLogicRSCD account lock out, refer, Troubleshooting the BladeLogicRSCD user lockout issues

See the following video for further assistance: