Alteryx Server Ideas

Share your Server product ideas - we're listening!
Submitting an Idea?

Be sure to review our Idea Submission Guidelines for more information!

Submission Guidelines

Alteryx Worke Account Token bloat issue | Configure multiple accounts to run WF

We have configured the service account for Alteryx services on workers, controllers and Gallery. Kindly go through the below problem statement and current scenario and help to provide solution.

I will appreciate if we can setup a 30 minutes call and discuss on it.

 

Purpose/Current Design :

  1. Our purpose was to on board the account in EPV-AIM/gMSA solution so that password won’t be hard-coded anywhere in the config for service LAN account.
  2. Use same LAN service account to run the workflow on workers and write the output at destination paths [ Shared paths, Mailboxes]
  3.  

Problem Statement  :

As we have added service LAN account  in multiple AD groups [ global and local ] it has become member of 440+ groups which has resulted in the approx.. token size to 8421.

Active directory has a limit of having approx.. token size to 10000 (10k) for LAN accounts and after that it will fail to authenticate with AD ; which will result in failure of starting Alteryx services.

 

Please refer below link to know what exactly issue we are facing and looking solution from Product team[Alteryx].

https://www.jijitechnologies.com/blogs/active-directory-token-bloat

 

 

We are looking from the Alteryx team :

  1. Find a solution and provide some enhancement where we can use multiple (more than one) LAN accounts to run the workflows.
  2. In Large scale when we are running workflows of different team’s it is obvious that LAN ID will be member of multiple AD groups and it will reach to Token bloat threshold.
  3. We are looking something which can be provided as solution within the same setup to add multiple accounts or any other solution .

 

We already explored the option you suggested [https://help.alteryx.com/current/server/credentials] but as per our firm’s password policy we cannot save/use/withdraw privilege account passwords.

Because if we go with the suggested option we have to add the particular accounts in Windows server privilege group [ Log on as service, App_Security Logon locally and run batch job].

To meet compliant policy ; Any account which is privilege should be considered as app to app account and it should be integrated with Microsoft’s gMSA or CyberArk’s EPV-AIM solution to be on boarded account in vault. [ No human interaction with account ]

 

Feel free to reach out to me for any additional clarifications.

1 Comment
KylieF
Alteryx Community Team
Alteryx Community Team

Your idea and feedback is appreciated!

 

Our product team is constantly striving to make our products better, and the user feedback we received is critical in that mission. We recommend checking out our Submission Guidelines as they go into greater depth on the criteria needed for an idea to reach product as well as go over the boards in general. Make sure to also check out other user’s ideas!