Interactive Logon Rights for Qlik Sense installation
This article outlines the requirement for the service account to have interactive logon permission to the Qlik Sense server in order to perform a new installation. This requirement was introduced on the February 2018 release.
The following may be registered in the logs:
Installation failed An error has occurred One or more of your shared persistence file share folders has not been configured correctly, or the service user does not have the appropriate access permissions.
If the service account does not have interactive logon rights, then the installer will error with a trace like as follows in the underlying log files (reference How To Collect Qlik Sense Installation Log File for guidance on locating those logs files):
Calling custom action Qlik.QustomActions64!Qlik.QustomActions64.FolderValidation.ValidateSharedFolders Action 16:27:25 33 SERVICEUSER: domain\svc_qliksense Action 16:27:25 33 SHAREDROOTFOLDER: \\FILESHARE\SharedFolder Action 16:27:25 33 STATICCONTENTROOT: \\FILESHARE\SharedFolder\StaticContent Action 16:27:25 33 CUSTOMDATAROOT: \\FILESHARE\SharedFolder\CustomData Action 16:27:25 33 ARCHIVEDLOGSROOT: \\FILESHARE\SharedFolder\ArchivedLogs Action 16:27:25 34 APPSROOT: \\FILESHARE\SharedFolder\Apps Action 16:27:25 34 Before impersonation: NT AUTHORITY\SYSTEM Action 16:27:25 39 After finished impersonation: NT AUTHORITY\SYSTEM Exception thrown by custom action: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.NullReferenceException: Object reference not set to an instance of an object. at Qlik.QustomActions64.FolderValidation.ImpersonatedValidator.ValidateFolder(String folder, Func`2 evaluationCallback) at Qlik.QustomActions64.FolderValidation.ImpersonatedValidator.ValidateSharedRootFolder(String folder) at Qlik.QustomActions64.FolderValidation.ValidateSharedFolders(Session s) --- End of inner exception stack trace --- at System.RuntimeMethodHandle.InvokeMethod(Object target, Object arguments, Signature sig, Boolean constructor) at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object parameters, Object arguments) at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture) at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr) CustomAction CA_ValidateSharedFolders returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Qlik Sense Enterprise and version
Beginning in Qlik Sense February 2018, additional functionality was added to the Qlik Sense Enterprise installation package. This function checks to ensure that the service account has the appropriate rights on the Service Cluster path that was entered during installation. In order to check the rights on the share, the installer uses Windows APIs which require an interactive logon rights in order to impersonate the service account. This requirement is expected in February 2018, April 2018, and June 2018. For the September 2018 release and newer the Option 3 documented here was added as a workaround.
For September 2018 and newer:
Open the Local Security Policy module
Right Click on Run > secpol.msc
Navigate to Local Policies > User Rights Assignment:
Allow log on locally: Ensure that the Qlik Sense Service account is provisioned this right
Deny log on locally: Ensure that the Qlik Sense Service account is not listed there, either directly by name or indirectly by group membership
Complete installation of Qlik Sense
(Optional): Revert the changes to the rights assignment post installation
Install Qlik Sense November 2017 and upgrade to the desired build of Qlik Sense