Skip to main content
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!

Interactive Logon Rights for Qlik Sense installation

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Andre_Sostizzo
Digital Support
Digital Support

Interactive Logon Rights for Qlik Sense installation

Last Update:

Oct 28, 2020 10:52:51 AM

Updated By:

Sonja_Bauernfeind

Created date:

Jul 17, 2018 1:03:59 PM

This article outlines the requirement for the service account to have interactive logon permission to the Qlik Sense server in order to perform a new installation. This requirement was introduced on the February 2018 release.

The following may be registered in the logs:



Installation failed      An error has occurred     One or more of your shared persistence file share folders has not been configured correctly, or the service user does not have the appropriate access permissions.


If the service account does not have interactive logon rights, then the installer will error with a trace like as follows in the underlying log files (reference How To Collect Qlik Sense Installation Log File for guidance on locating those logs files):

Calling custom action Qlik.QustomActions64!Qlik.QustomActions64.FolderValidation.ValidateSharedFolders
Action 16:27:25 33 SERVICEUSER: domain\svc_qliksense
Action 16:27:25 33 SHAREDROOTFOLDER: \\FILESHARE\SharedFolder
Action 16:27:25 33 STATICCONTENTROOT: \\FILESHARE\SharedFolder\StaticContent
Action 16:27:25 33 CUSTOMDATAROOT: \\FILESHARE\SharedFolder\CustomData
Action 16:27:25 33 ARCHIVEDLOGSROOT: \\FILESHARE\SharedFolder\ArchivedLogs
Action 16:27:25 34 APPSROOT: \\FILESHARE\SharedFolder\Apps
Action 16:27:25 34 Before impersonation: NT AUTHORITY\SYSTEM
Action 16:27:25 39 After finished impersonation: NT AUTHORITY\SYSTEM
Exception thrown by custom action:
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.NullReferenceException: Object reference not set to an instance of an object.
   at Qlik.QustomActions64.FolderValidation.ImpersonatedValidator.ValidateFolder(String folder, Func`2 evaluationCallback)
   at Qlik.QustomActions64.FolderValidation.ImpersonatedValidator.ValidateSharedRootFolder(String folder)
   at Qlik.QustomActions64.FolderValidation.ValidateSharedFolders(Session s)
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object parameters, Object arguments)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)
   at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr)
CustomAction CA_ValidateSharedFolders returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)


 
 

Environment:

  • Qlik Sense Enterprise and version

 

Beginning in Qlik Sense February 2018, additional functionality was added to the Qlik Sense Enterprise installation package. This function checks to ensure that the service account has the appropriate rights on the Service Cluster path that was entered during installation. In order to check the rights on the share, the installer uses Windows APIs which require an interactive logon rights in order to impersonate the service account. This requirement is expected in February 2018, April 2018, and June 2018. For the September 2018 release and newer the Option 3 documented here was added as a workaround.

 

Resolution:

 

For September 2018 and newer:

Option 1:

  • Open the Local Security Policy module
    • Right Click on Run > secpol.msc
  • Navigate to Local Policies > User Rights Assignment:
    • Allow log on locally: Ensure that the Qlik Sense Service account is provisioned this right
    • Deny log on locally: Ensure that the Qlik Sense Service account is not listed there, either directly by name or indirectly by group membership
  • Complete installation of Qlik Sense
  • (Optional): Revert the changes to the rights assignment post installation

Option 2:

  • Install Qlik Sense November 2017 and upgrade to the desired build of Qlik Sense

Option 3:

Install Qlik Sense using its silent installation syntax. See Performing a silent installation with the skipvalidation parameter.

Example:

Qlik_Sense_setup.exe -s userwithdomain=domain\svc_qliksense userpassword=ServiceAccountPassword123! dbpassword=DBPassword123! sharedpersistenceconfig=C:\Temp\spc.cfg skipvalidation=1

 

Option 4:

 

For February 2018 - June 2018 Releases:

Option 1:

  • Open the Local Security Policy module
    • Right Click on Run > secpol.msc
  • Navigate to Local Policies > User Rights Assignment:
    • Allow log on locally: Ensure that the Qlik Sense Service account is provisioned this right
    • Deny log on locally: Ensure that the Qlik Sense Service account is not listed there, either directly by name or indirectly by group membership
  • Complete installation of Qlik Sense
  • (Optional): Revert the changes to the rights assignment post installation

Option 2:

  • Install Qlik Sense November 2017 and upgrade to the desired build of Qlik Sense
Labels (1)
Comments
giociva
Partner - Creator
Partner - Creator

Hi @Andre_Sostizzo ,

if the designed qlik service account IS a local administrator without interactive logon rights and I cannot change this policy with secpol because it is enforced via GPO and prevent changes, would be ok to install qlik sense with another local admin account and change it later to the desired service account?

My only concern is regarding the QlikClient certificate, as I cannot do a run-as different account on mmc to import the cert in the user personal store.

Thanks,

Best

Contributors
Version history
Last update:
‎2020-10-28 10:52 AM
Updated by: