Issue
When installing Tableau Server, TSM may reflect no keys activated and one of the following errors might occur when activating a license or starting tablicsrv:No license found for Tableau Server or No specified license found.
You can verify whether your organization is removing the User group from installation directories by navigating to the Tableau Server installation directory (%PROGRAMDATA%\Tableau\Tableau Server
), and then opening Properties > Security. If the Users group is not listed then you need to update the permissions.
Because many organizations use change management solutions to remove the User group during startup, simply adding the User group back to the Tableau Server installation directory is not a best practice.
Instead apply permissions on the Tableau Server installation directories to the Local Service using Windows icacls
command.
To apply permissions:
Log onto the computer running Tableau Server as an administrator.
Open a command prompt and run the following commands:
icacls “%PROGRAMDATA%\Tableau\Tableau Server” /reset
This command resets permissions and enables inheritance on the installation directory.
icacls “%PROGRAMDATA%\Tableau\Tableau Server” /grant *S-1-5-19:(OI)(CI)F /T
This command grants explicit permissions to the Local Service account, which is represented here by the global security identifier, *S-1-5-19.
Restart the Tableau Server license manager (in some environments, the whole computer will need to be restarted for the permissions to take effect).
Beginning with Tableau Server 9.3, a change was made to the Tableau Server License Manager (tablicsrv) configuration. In previous versions, tablicsrv.exe was run under the security context (log on value) of the NT AUTHORITY\Local System, which is the default run as account when creating a new Windows Service. Local System has more access than the License Manager requires to run properly, so the run as user was changed to the more restricted NT AUTHORITY\Local account. The Local Service account is used by License Manager to access and execute files located under the Tableau Server installation directory (%PROGRAMDATA%\Tableau\Tableau Server
) and write to the tablicsrv.log file. These actions rely upon permissions that are inherited through the Users security group on the Tableau Server installation directory.
As shown above, the following permissions (all of which are inherited by Local Service) are granted to the Users security group:
If Local Service does not have these permissions, Tableau Server will fail to initialize during installation, resulting in the errors above.
As a security measure, some organizations remove the Users group from all installation directories in their environments. Usually, such organizations remove the User group with an automated change management software solution such as Group Policy.