Qlik Community

QlikView Management

Discussion Board for collaboration on QlikView Management.

Highlighted
Not applicable

QlikView server - AD Service account permission

Hi,

     We are running QlikView server version 11.0.11414.0 on Windows 2008 R2 Standard Edition (x64).

     All the components are installed on a single server.

     QlikView Management Service (QMS)

     QlikView Directory Service Connector (DSC)

     QlikView Distribution Service (QDS)

     QlikView Server (QVS)

     QlikView Web Server (QVWS)

     When we try to run the 5 QlikView services (as above) under a AD Service account, they do not restart properly.

     The only service which restarts properly is the QlikView Server (QVS).

     All the other services starts but fails/crashes immediately.

     The only solution at this time is to make the Service account as a Local Admin on the server (or) to run the other 4 services under "Local System".

     I have provided the required permissions as per the QV11 Infrastructure -Minimum Security Requirements.pdf document.

     I have also provide the service account with COM permissions.

     We have a policy which restricts the Service account to have Admin privileges on the server.

     Kindly let me know if there is any other change I need to perform so that the Services can run under a AD Service account.

Thanks in Advance,

Kums.

1 Solution

Accepted Solutions
Partner
Partner

Re: QlikView server - AD Service account permission

The AD Service account has to be a member of the Local Administrator group on the server. Not only a member of

"QlikView Administrators"

Also, the server can't be a DC or BDC.

14 Replies
Partner
Partner

Re: QlikView server - AD Service account permission

Have you added AD Service account to the group QlikviewAdministrators.?

Not applicable

Re: QlikView server - AD Service account permission

Yes.

The AD Service account is a member of the QlikView Administrators local group on the server.

Partner
Partner

Re: QlikView server - AD Service account permission

The AD Service account has to be a member of the Local Administrator group on the server. Not only a member of

"QlikView Administrators"

Also, the server can't be a DC or BDC.

Partner
Partner

Re: QlikView server - AD Service account permission

What is DC and BDC?

Not applicable

Re: QlikView server - AD Service account permission

Hi,

Did you have a look to the logfiles <InstallDrive QV>:\ProgramData\QlikTech\.....

Mybe is a restriction to  Windows 2008 R2 Standard Edition (x64). Like you can just use  32GB of RAM....

Regards

Michael

Employee
Employee

Re: QlikView server - AD Service account permission

The problem isn´t Qlikview. Your problem is in your Policy Restriction.

Remove the policy and try again.

The service account to Qlikview needs to be Local Administrator only and default policies. If you changed it, return default config e apply bit by bit to find your problem.

Ricardo Gerhard
OEM Solution Architect
LATAM
Not applicable

Re: QlikView server - AD Service account permission

DC is Domain Controller.

BDC is Backup Domain Controller.

Not applicable

Re: QlikView server - AD Service account permission

The server is not a DC or BDC.

It is a server specifically used for QlikView.

We have a policy which is setup as per best practices.

It states that a Service account should not be a Local Administrator on the server to reduce risk.

Is this the official statement from QlikView that the Service account should be a member of the Local Administrators group?

Not applicable

Re: QlikView server - AD Service account permission

Please do not mistake me.

But at the same time kindly do not insult the knowledge of our Security team.

As per my understanding, I do not think even Microsoft recommends providing Local Administrator access for a AD Service account.

But it is not always possible to adhere to that recommendation due to the design of applications.

Kindly let me know if this is the official recommendation by QlikView.

As mentioned in my initial post, I have provided the required access as per the "QV11 Infrastructure -Minimum Security Requirements.pdf" document. I am unable to find a link to that document and also unable to attach it to this post.