Windows Permissions required for a TIBCO Streaming Service

Windows Permissions required for a TIBCO Streaming Service

book

Article ID: KB0073778

calendar_today

Updated On:

Products Versions
TIBCO Streaming 10

Description

When run from the command-line, the TIBCO Streaming application runs correctly. After installing the same application as a Windows service and starting, the application fails with an "insufficient privilege" error.

Error: 
2020-03-18 10:26:38.240000-0400 [7384:OperatorThread(pidataadapter_phase.metadataPhase.onStart:1)] ERROR PIPhasesReader: connection failed: 
Error (probably credentials or network connectivity): Cannot connect to the PI Data Archive. Windows authentication trial failed because 
insufficient privilege to access the PI Data Archive. Trust authentication trial failed because insufficient privilege to access the PI 
Data Archive. 
2020-03-18 10:26:38.240000-0400 [7384:OperatorThread(pidataadapter_phase.metadataPhase.onStart:1)] WARN  PIPhasesReader: Server not 
connected, attempting connection

Issue/Introduction

Administrative steps to provide Windows account permission "Log on as a service"

Environment

Microsoft Windows 10

Resolution

TIBCO Streaming supports running as a Windows service, which allows unattended startup after a reboot.

From the product documentation:
  TIBCO StreamBase Documentation > Installation Guide > Configuring Windows as a Service
 
"Applications that are installed as Windows services are installed using the epadmin install systemservice command. The user in which the service should run is specified when installing the service. This user must have the JAVA_HOME environment variable set. By default this user is the SYSTEM user (use the username parameter to run install systemservice to use a different user)."

As noted in the example error message above, the account cannot be authorized with the OSIsoft PI Asset Framework Client (it was the Windows SYSTEM user), so an alternative account must be used. In general, normal user accounts do not have the required "Log on as a service" privilege. The general solution is that whatever account is selected to run the service must be given the "Log on as a service" privilege within Windows. 

This permission applies strictly to the local computer and must be granted in the Local Security Policy. The user making this change must have Administrator privilege, and may require Domain Administrator privilege if the computer is on a domain.

The following instructions were verified using Windows 10 Pro (10.0.18362) with the latest security updates as of April 2020. Details are subject to change in later Windows updates.

As Administrator, make the following change within the Local Security Policy of the computer that will run the TIBCO Streaming service:
  1. Log into to the computer with administrative privileges.
  2. Open "Administrative Tools" and open the "Local Security Policy"
  3. Expand "Local Policy" and click on "User Rights Assignment"
  4. In the right pane, right-click "Log on as a service" and select properties.
  5. Click on the "Add User or Group..." button. 
  6. In the "Select Users or Groups" dialog, find the user registered with OSI PI and assigned as the user account used to run the service. Once added to the list, click "OK". Note: Also ensure that the user added above is not listed in the "Deny log on as a service" policy in the Local Security Policy.
  7. Click "OK" to save changes.
Powered by Wolken Software