Depending on your surroundings and information access requirements, you may want or need to change the Run As service business relationship. In that location are two main scenarios where yous change the Run Every bit service account:

  • Replacing the default Run As local business relationship (NetworkService) with a domain account. If you lot are operating in an environment where a majority of your data sources are authenticated in the context of Active Directory (Windows NT integrated security) then you will need to configure the Run Equally service account to apply a domain business relationship, not the local business relationship (NetworkService).
  • Changing an existing domain Run As service account to a dissimilar account.

This topic describes both scenarios and describes how to update the Run As service account password.

The account you use for the Run As service account should not be a member of the Local Administrators or Domain Administrators account. Instead we recommend using a domain user business relationship that is not an administrator for the Run As service account. Using a domain account that is not a fellow member of these administrator groups is a good security do and can help avoid access to certain data sources and folders. For information on best practices when creating a Run As service business relationship, see Creating the Run Equally service account.

Replacing the default Run As local account (NetworkService) with a domain account

If you are going to replace the default NetworkService business relationship with a domain account, nosotros recommend using a dedicated business relationship for the Run As service account. Follow these steps:

  1. Create the Run As service account in Active Directory
  2. Configure Tableau Server to utilize the Run As service account

Creating the Run Equally service business relationship

Follow these all-time practices:

  • It'south important to understand how the Run Every bit service account accesses data on behalf of the users in your organization. In some cases, users may inadvertently admission data that their users accounts are not explicitly permissioned for. Earlier yous create a Run Equally service account, review Data Access with the Run As Service Business relationship.
  • Create a dedicated account in Active Directory for the Tableau Server Run Every bit service account. In other words, don't use an existing account. By using a dedicated account you can be sure that the data resource that yous permission for Tableau Server are only accessible by Tableau Server Run Every bit service account.
  • The Run Equally service account is used to query users and group membership in Active Directory. By default, the NetworkServices business relationship and default domain users have permission to query Active Directory. Do not restrict read or query permissions for the Run Every bit service account.
  • Exercise not use an account with any kind of domain administrative permissions. Specifically, when you create an account in Active Directory, create an account in the domain User Group. Do non add the account that you lot create to whatsoever Active Directory security groups that needlessly elevate the permissions for the account.
  • Permission the data sources in your directory for this 1 account. The account that you'll employ for Run Every bit service account only needs Read access to the appropriate information sources and network shares.
  • If users in your system authenticate with smart cards, disable the smart card logon option for the Run As service business relationship.
  • If y'all have installed Tableau Server on a drive other than the system drive, then you will need to configure the system bulldoze to allow the Run Equally service business relationship additional permissions. The organization drive is the bulldoze where Windows is installed. For example, if you have installed Windows on the C:/ drive, then C:/ is your system drive. If you lot install Tableau Server on any other drive (D:/, E:/, etc), so yous will need to configure permissions for the Run As service account on the organisation drive. Meet Required Run As Service Business relationship Settings for more information.

Configuring the Run As service business relationship in Tableau Server

Afterward you have created the Run As service business relationship in Agile Directory, configure Tableau Server to use that business relationship.

Employ the TSM Web UI to configure the Run Every bit service account for the first time.

To configure the Run Equally service account

  1. Open TSM in a browser:

    https://<tsm-computer-name>:8850. For more than data, see Sign in to Tableau Services Managing director Spider web UI.

  2. Click the Security tab, and and so click the Run Every bit Service Business relationship tab.

  3. Select User Account and then enter the user name and password for the service business relationship. Specify the domain proper noun as domain\account, where domain name is the NetBIOS proper noun of the domain where the user resides:

  4. Click Save to verify the user name and countersign.

  5. When you are finished, click Pending Changes, and so click Utilise Changes and Restart.

After you update the Run As service account, Tableau Server will automatically configure permissions on the local computer for the account that you have entered.

Changing an existing domain Run Every bit service account to a different business relationship

To alter an existing domain Run Every bit service business relationship to a different account, you must utilise permissions to that new account. To use permissions to your new Run Every bit service business relationship, y'all must first reset permissions by applying them to the default NetworkService account.

Before y'all begin, verify that the new account that you will exist using for the Run As service account complies with the best practices noted previously in the section, Creating the Run As service account.

This procedure requires yous to restart Tableau Server services twice, so run this procedure during off hours.

Use the TSM spider web interface

  1. Open TSM in a browser:

    https://<tsm-computer-name>:8850. For more information, see Sign in to Tableau Services Manager Web UI.

  2. Click the Security tab, and and so click the Run As Service Business relationship tab.

  3. Under User Business relationship, select NT Authority\NetworkService.

  4. Click Salve.

  5. When y'all are finished, click Pending Changes, and then click Utilize Changes and Restart.

  6. Afterward the server restarts, open TSM and navigate to the Run Equally Service Account tab.

  7. Select User Account and then enter the user proper noun and countersign for the service account. Specify the domain proper name as domain\account, where domain name is the NetBIOS name of the domain where the user resides:

  8. Click Relieve to verify the user name and countersign.

  9. When you are finished, click Pending Changes, and then click Apply Changes and Restart.

  10. Revoke the permissions for the previous account. See Revoke Run As Service Account Permissions.

Apply the TSM CLI

  1. Reset the Run As service account to NetworkService. Run the post-obit command:

    tsm configuration gear up -one thousand service.runas.username -v "NT AUTHORITY\NetworkService"

  2. Run the following control to save this change and restart:

    tsm pending-changes employ

  3. Set the Run As service account to the new account. Run the following commands:

    tsm configuration set -1000 service.runas.username -v <domain\username>

    tsm configuration prepare -k service.runas.password -v "<password>"

    Enclose the password with double quotes to ensure special characters in the cord are processed correctly. To view the password equally it volition exist stored, run the post-obit control:

    tsm pending-changes list

    The password will be validated with Active Directory. If valid, then the countersign will exist encrypted and saved. TSM will not report success or failure.

  4. Run the following command to salve and restart:

    tsm pending-changes apply

    Troubleshooting:

    • Verify that the server has started. If it is in a degraded state, then yous may take entered an incorrect countersign. View the stored countersign past running the configuration go command. This control will decrypt and brandish the password in the shell. Run the post-obit command:

      tsm configuration go -chiliad service.runas.countersign

      If the previous countersign is displayed, and so you did not enter a valid password.

    • Enter the correct countersign (see Step 3), then run the post-obit command to relieve and restart:

      tsm pending-changes use

  5. Revoke the permissions for the previous business relationship. See Revoke Run Equally Service Business relationship Permissions.

Updating the Run As service business relationship password

If the Run As service business relationship password has been updated in Active Directory you must update it for Tableau Server. The Run Every bit service account countersign is encrypted and stored on Tableau Server. For more information, see Manage Server Secrets.

If y'all are running Tableau Server in a distributed deployment, so you only need to update the password with TSM on the initial node in the cluster. TSM volition distribute this configuration to each node automatically.

Apply the TSM spider web interface

  1. Open TSM in a browser:

    https://<tsm-computer-name>:8850. For more information, encounter Sign in to Tableau Services Manager Spider web UI.

  2. Click the Security tab, and then click the Run As Service Account tab.

  3. Under User Account, enter the password for the service account.

  4. Click Save to verify the password.

  5. When you are finished, click Pending Changes, and and then click Apply Changes and Restart.

Utilise the TSM CLI

  1. Ready the new password. Run the post-obit command:

    tsm configuration set -k service.runas.password -v "<password>"

    Enclose the password with double quotes to ensure special characters in the string are processed correctly. To validate that special characters were escaped correctly, run the following command to view the password every bit information technology will exist stored:

    tsm pending-changes list

    The countersign will be validated with Active Directory. If valid, then the password will be encrypted and saved. TSM will non report success or failure.

  2. Run the following control to save and restart:

    tsm pending-changes apply

    Troubleshooting:

    • Verify that the server has started. If it is in a degraded state, then y'all may take entered an incorrect password. View the stored countersign by running the configuration go command. This control will decrypt and display the password in the shell. Run the following command:

      tsm configuration get -1000 service.runas.countersign

      If the previous countersign is displayed, then you did not enter a valid password.

    • Enter the correct countersign (see Pace 1), and and then run the following command to save and restart:

      tsm pending-changes use

Troubleshooting: Update the password in the Microsoft Services console

In some cases, yous may come across service failures after updating the Run As service account password. If and so, then you may need to manually update the password for the Tableau Server Services Manager service. Update the password in the Microsoft Services management panel.

If y'all are running Tableau Server in a distributed deployment, and then you must perform the post-obit procedure on each node in the cluster.

  1. Finish Tableau Server.

    • To apply the TSM CLI, run the post-obit command:

      tsm stop

    • To use the TSM Web UI, on the top-right of the page, click the drop-down list side by side to the status, and then click Stop Tableau Server:

  2. Open the Services MMC snap-in on the Windows figurer that is running Tableau Server.

  3. Double-click the Tableau Server Services Manager service to open the properties page.

  4. On the Tableau Server Services Manager Properties page, click the Log On tab, so enter the password for the service account.

  5. Click Use, then click OK.

  6. Restart the Tableau Server Services Director service past correct-clicking on the service name and and so clicking Restart.

  7. Outset Tableau Server.

    • To use the TSM CLI, run the following command:

      tsm start

    • To utilise the TSM Spider web UI, on the top right of the page, click the driblet-down list next to the status, and so click Start Tableau Server.

The Run As service account is central to many operations on Tableau Server, especially those that are involved with remote data access. To avoid admission errors, review the tasks here and follow the links for those that use to your scenario.

  • If you are running Tableau Server in an organization with multiple Agile Directory domains, see Domain Trust Requirements for Agile Directory Deployments.
  • Enabling Kerberos single sign-on requires additional configuration related to the Run As service account. To enable Kerberos single sign-on with Tableau Server, encounter Kerberos.
  • Enabling impersonation requires additional configuration related to Run Equally service account. To deploy and enable impersonation with Microsoft SQL Server, see Impersonate with Embedded SQL Credentials.
  • If you have installed Tableau Server onto the non-system drive, then you will need to manually set some permissions for the Run As service account. Encounter Required Run Every bit Service Account Settings for more than information.
  • If you have changed the Run Equally service account, and so we recommend revoking the permissions for the previous business relationship. See Revoke Run As Service Business relationship Permissions.
  • If your system uses a forward proxy solution, then you may need to reconfigure the local LAN settings on the Tableau Server with the Run As service account. See Configure a forward proxy server for more data. In this scenario, the Run As service account must also exist temporarily configured every bit the log on account for Tableau Server Authoritative Controller for product primal operations. Encounter Configure Product Key Operations with Forrad Proxy.