KNOWLEDGE BASE

Error "Service 'tablicsrv' failed to start" "No license found for Tableau Server" or "Tableau Server is unlicensed" Installing Tableau Server


Published: 31 Mar 2016
Last Modified Date: 22 Feb 2017

Issue

When installing Tableau Server, Manage Product keys might be empty and one of the following errors might occur when activating a license or starting tablicsrv:

No license found for Tableau Server 

Or:

Tableau Server is unlicensed.  An administrator must run manage product keys. 

Or:

"Service 'tablicsrv' failed to start (state 1)"

Or:

Unable to start service 'tablicsrv': (5) Access is denied

Or:

service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.

Environment

Tableau Server 9.3 and later versions

Resolution

Verify and update permissions

You can verify whether your organization is removing the User group from installation directories by navigating to the Tableau Server installation directory (%PROGRAMDATA%\Tableau\Tableau Server), and then opening Properties > Security. If the Users group is not listed then you need to update the permissions.

Because many organizations use change management solutions to remove the User group during startup, simply adding the User group back to the Tableau Server installation directory is not a best practice.

Instead apply permissions on the Tableau Server installation directories to the Local Service using Windows icalcs command.

To apply permissions:

  1. Log onto the computer running Tableau Server as an administrator.

  2. Open a command prompt and run the following commands:

    icacls “%PROGRAMDATA%\Tableau\Tableau Server” /reset

    This command resets permissions and enables inheritance on the installation directory.

    icacls “%PROGRAMDATA%\Tableau\Tableau Server” /grant *S-1-5-19:(OI)(CI)F /T

    This command grants explicit permissions to the Local Service account, which is represented here by the global security identifier, *S-1-5-19.

  3. Restart the Tableau Server license manager (in some environments, the whole computer will need to be restarted for the permissions to take effect).

     

If you prefer to set permissions using the Windows folder properties,
  1. Check the permissions for both the Tableau Server bin directory and log directory. 
    If Tableau Server was installed using the default Windows program and data path, the folders to check are:If Tableau Server was installed to a custom path, both logs and bin folder will be in the base of the install directory.
    • C:\ProgramData\Tableau\Tableau Server\logs
    • C:\Program Files\Tableau\Tableau Server\bin
  2. Ensure that the built-in Users group or Local Account is present with Read & execute, List folder contents, and Read permissions.
  3. Click Advanced and check the special permissions, ensuring that create files/write data is selected. Screenshot of the Advanced Permissions window

Cause

Background

Beginning with Tableau Server 9.3, a change was made to the Tableau Server License Manager (tablicsrv) configuration. In previous versions, tablicsrv.exe was run under the security context (log on value) of the NT AUTHORITY\Local System, which is the default run as account when creating a new Windows Service. Local System has more access than the License Manager requires to run properly, so the run as user was changed to the more restricted NT AUTHORITY\Local account. The Local Service account is used by License Manager to access and execute files located under the Tableau Server installation directory (%PROGRAMDATA%\Tableau\Tableau Server) and write to the tablicsrv.log file. These actions rely upon permissions that are inherited through the Users security group on the Tableau Server installation directory.

Image of the Tableau Server Properties window with Read & Execute, List folder contents, Read, and Special Permissions checked

As shown above, the following permissions (all of which are inherited by Local Service) are granted to the Users security group:

  • Read & execute
  • List folder contents
  • Read
  • Special permissions (create files/write data)

If Local Service does not have these permissions, Tableau Server will fail to initialize during installation, resulting in the errors above.

Why doesn’t Local Service have the correct permissions?

As a security measure, some organizations remove the Users group from all installation directories in their environments. Usually, such organizations remove the User group with an automated change management software solution such as Group Policy.

Additional Information

When running "serveractutil -v" from the command line, there should be valid FIDs in the trusted storage.  If there are 'broken' FIDs or no FIDs, this article does not apply. 

If the above steps do not immediately resolve the issue, check to make sure that the Flexnet service is also running. 

For more information on setting folder permissions in Windows, see the following articles on Microsoft Technet: 
Managing Permissions
Set, View, Change, or Remove Special Permissions
Did this article resolve the issue?