KNOWLEDGE BASE

Error "Service 'tablicsrv' failed to start" "No license found for Tableau Server" or "Tableau Server is unlicensed" Installing Tableau Server


Published: 31 Mar 2016
Last Modified Date: 22 Nov 2016

Issue

When installing Tableau Server 9.3, Manage Product keys might be empty and one of the following errors might occur when activating a license or starting tablicsrv:

No license found for Tableau Server 

Or:

Tableau Server is unlicensed.  An administrator must run manage product keys. 

Or:

"Service 'tablicsrv' failed to start (state 1)"

Or:

Unable to start service 'tablicsrv': (5) Access is denied

Or:

service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.

Environment

Tableau Server 9.3

Resolution

Verify and update permissions

You can verify whether your organization is removing the User group from installation directories by navigating to the Tableau Server installation directory (%PROGRAMDATA%\Tableau\Tableau Server), and then opening Properties > Security. If the Users group is not listed then you need to update the permissions.

Because many organizations use change management solutions to remove the User group during startup, simply adding the User group back to the Tableau Server installation directory is not a best practice.

Instead apply permissions on the Tableau Server installation directories to the Local Service using Windows icalcs command.

To apply permissions:

  1. Log onto the server running Tableau Server 9.3. You must be logged on as an administrator, or you must have access to administrator account when you open Windows Command Line.

  2. Open Windows Command Line and run the following commands:

    icacls “%PROGRAMDATA%\Tableau\Tableau Server” /reset

    This command resets permissions and enables inheritance on the installation directory.

    icacls “%PROGRAMDATA%\Tableau\Tableau Server” /grant *S-1-5-19:(OI)(CI)F /T

    This command grants explicit permissions to the Local Service account, which is represented here by the global security identifier, *S-1-5-19.

  3. Restart the Tableau Server license manager (in some environments, the whole computer will need to be restarted for the permissions to take effect).

Cause

Background

Beginning with Tableau Server 9.3 a change was made to the Tableau Server License Manager (tablicsrv) configuration. In previous versions, tablicsrv.exe was run under the security context (log on value) of the Local System. Local System has more system access than the License Manager requires. Therefore, according to the security principle of “least permissions,” we made the change in version 9.3 to run the License Manager under the more restricted context of “Local Service.” The Local Service account is used by License Manager to access and execute files located under the Tableau Server installation directory (%PROGRAMDATA%\Tableau\Tableau Server). These actions, in turn, rely upon permissions that are inherited through the Users security group on the Tableau Server installation directory.

As shown above, the following permissions (all of which are inherited by Local Service) are granted to the Users security group:

  • Read & execute

  • List folder contents

  • Read

If Local Service does not have these permissions, then Tableau Server will fail to initialize during installation, resulting in the errors above.

Why doesn’t Local Service have the correct permissions?

As a security measure, some organizations remove the Users group from all installation directories in their environments. Usually, such organizations remove the User group with an automated change management software solution such as Group Policy.

Additional Information

When installing on the C:\ drive, the directory is: C:\ProgramData\Tableau\Tableau Server. When installing on other drives, the directory is the one specified when installing Tableau Server, for example, D:\Tableau\Tableau Server.

When running "serveractutil -v" from the command line, there should be valid FIDs in the trusted storage.  If there are 'broken' FIDs or no FIDs, this article does not apply. 

If these steps do not resolve the issue immediately, check to make sure that the Flexnet service is also running. 
Did this article resolve the issue?