Interactive Logon Rights for Qlik Sense installation

Andre_Sostizzo · Jul 17, 2018 1:03:59 PM

This article outlines the requirement for the service account to have interactive logon permission to the Qlik Sense server in order to perform a new installation. This requirement was introduced on the February 2018 release.

The following may be registered in the logs:

Installation failed An error has occurred One or more of your shared persistence file share folders has not been configured correctly, or the service user does not have the appropriate access permissions.

If the service account does not have interactive logon rights, then the installer will error with a trace like as follows in the underlying log files (reference How To Collect Qlik Sense Installation Log File for guidance on locating those logs files):

Calling custom action Qlik.QustomActions64!Qlik.QustomActions64.FolderValidation.ValidateSharedFolders
Action 16:27:25 33 SERVICEUSER: domain\svc_qliksense
Action 16:27:25 33 SHAREDROOTFOLDER: \\FILESHARE\SharedFolder
Action 16:27:25 33 STATICCONTENTROOT: \\FILESHARE\SharedFolder\StaticContent
Action 16:27:25 33 CUSTOMDATAROOT: \\FILESHARE\SharedFolder\CustomData
Action 16:27:25 33 ARCHIVEDLOGSROOT: \\FILESHARE\SharedFolder\ArchivedLogs
Action 16:27:25 34 APPSROOT: \\FILESHARE\SharedFolder\Apps
Action 16:27:25 34 Before impersonation: NT AUTHORITY\SYSTEM
Action 16:27:25 39 After finished impersonation: NT AUTHORITY\SYSTEM
Exception thrown by custom action:
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.NullReferenceException: Object reference not set to an instance of an object.
at Qlik.QustomActions64.FolderValidation.ImpersonatedValidator.ValidateFolder(String folder, Func`2 evaluationCallback)
at Qlik.QustomActions64.FolderValidation.ImpersonatedValidator.ValidateSharedRootFolder(String folder)
at Qlik.QustomActions64.FolderValidation.ValidateSharedFolders(Session s)
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object parameters, Object arguments)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)
at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr)
CustomAction CA_ValidateSharedFolders returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

Environment:

Qlik Sense Enterprise and version

Beginning in Qlik Sense February 2018, additional functionality was added to the Qlik Sense Enterprise installation package. This function checks to ensure that the service account has the appropriate rights on the Service Cluster path that was entered during installation. In order to check the rights on the share, the installer uses Windows APIs which require an interactive logon rights in order to impersonate the service account. This requirement is expected in February 2018, April 2018, and June 2018. For the September 2018 release and newer the Option 3 documented here was added as a workaround.

Resolution:

For September 2018 and newer:

Option 1:

Open the Local Security Policy module
- Right Click on Run > secpol.msc
Navigate to Local Policies > User Rights Assignment:
- Allow log on locally: Ensure that the Qlik Sense Service account is provisioned this right
- Deny log on locally: Ensure that the Qlik Sense Service account is not listed there, either directly by name or indirectly by group membership
Complete installation of Qlik Sense
(Optional): Revert the changes to the rights assignment post installation

Option 2:

Install Qlik Sense November 2017 and upgrade to the desired build of Qlik Sense

Option 3:

Install Qlik Sense using its silent installation syntax. See Performing a silent installation with the skipvalidation parameter.

Example:

Qlik_Sense_setup.exe -s userwithdomain=domain\svc_qliksense userpassword=ServiceAccountPassword123! dbpassword=DBPassword123! sharedpersistenceconfig=C:\Temp\spc.cfg skipvalidation=1

Option 4:

Verify the Qlik Share
Qlik Installation account considerations
If the install is performed as a Windows local administrator and account needs to be changed to a dedicated non-administrative Qlik Sense service account afterwards, see Changing the user account to run Qlik Sense services.

For February 2018 - June 2018 Releases:

Option 1:

Open the Local Security Policy module
- Right Click on Run > secpol.msc
Navigate to Local Policies > User Rights Assignment:
- Allow log on locally: Ensure that the Qlik Sense Service account is provisioned this right
- Deny log on locally: Ensure that the Qlik Sense Service account is not listed there, either directly by name or indirectly by group membership
Complete installation of Qlik Sense
(Optional): Revert the changes to the rights assignment post installation

Option 2:

Install Qlik Sense November 2017 and upgrade to the desired build of Qlik Sense

giociva · ‎2021-12-17

Hi @Andre_Sostizzo ,

if the designed qlik service account IS a local administrator without interactive logon rights and I cannot change this policy with secpol because it is enforced via GPO and prevent changes, would be ok to install qlik sense with another local admin account and change it later to the desired service account?

My only concern is regarding the QlikClient certificate, as I cannot do a run-as different account on mmc to import the cert in the user personal store.

Thanks,

Best

Interactive Logon Rights for Qlik Sense installation