We have extended our Early Bird Tickets for Inspire 2023! Discounted pricing goes until February 24th. Save your spot!

Alteryx Server Knowledge Base

Definitive answers from Server experts.

How To: Run Alteryx Service as a Non-Admin Account

MikeSp
Alteryx
Alteryx
Created

How to Run Alteryx Service as a Non-Admin Account

!!!IMPORTANT!!! Before proceeding, please note that this procedure should be considered a proof-of-concept. This solution was created by a Solutions Architect at Alteryx and is not intended as an officially supported production use case at this time. This use case and procedure has not been officially QA tested by Alteryx and has only seen limited internal testing. If you wish to utilize this for your production environment, please ensure you perform a backup or snapshot of your current environment, and ideally validate any changes in a sandbox environment before making any changes to your production environment. Understand that Alteryx Support may/will not be able to assist nor instruct you on utilizing this procedure. Alteryx Support may ask you to change the account running the Alteryx Service to a full administrator account to validate it does not cause any failure during a troubleshooting session.

Now that we've established the fun disclaimer above, this article is intended to show the details on setting up a proof-of-concept solution that functions for allowing a non-admin account to run the Alteryx Service successfully. This includes the capabilities for a single machine with all embedded components (Controller, Gallery, Worker, MongoDB) as well as separate machine(s) with individual services such as Gallery only or Worker only machines(s) - or any combination thereof.

Security constraints in your environment may require or prefer that a service account be handled on a least-privilege basis, and having a full administrator account running the service is typically a pain point when attempting to incorporate least-privilege. This article attempts to address a workaround for the scenario with an Alteryx Server installation where a full administrator account is typically required to run the Alteryx Service. A full administrator account will sometimes still be required for certain maintenance tasks, such as initial configuration, assigning additional permissions if changes occur, updating settings via the Alteryx System Settings application, or updating Alteryx Server license(s).
 

Prerequisites

 
  • Alteryx Server
    • 2021.4 and 2022.1 Tested
    • Likely to function on previous versions as well, but not tested
  • Administrator Account on the Alteryx Server machine(s) to provide appropriate permissions discussed in this guide
    • Will be referred to as "Administrator Account" in further instructions
  • Service Account (non-admin or standard user) that you desire to run the Alteryx Service with
    • Will be referred to as "Service Account" in further instructions
    • This account is assumed to be an Active Directory account or a local account that exists on each machine in the Alteryx Server environment
 
 

Procedure

In the following procedure, we will discuss different components of Alteryx Server and their specific requirements. This article assumes some familiarity with most of the basic components of Alteryx Server (Controller, Gallery, Worker) and which component(s) are enabled on each of your machine(s). This article also assumes you are currently running Alteryx Server or are familiar with initial configuration and does not cover a complete installation. This article will be split into several procedures for each component to assist setup on a complex environment, or where there may be multiple components enabled on the same or multiple machines. For example, If the procedure is listed for the Gallery component, if the Gallery component is not enabled on that specific machine you do not need to perform the procedure for that component on that specific machine. The steps should be performed on each machine for each component that they host. If you add a component to a particular machine at a later time, you should follow the additional procedure for that component if applicable.

All Components/Machines (Controller AND/OR Gallery AND/OR Worker) - Perform these steps on each Alteryx Server machine in the environment.
  1. Using the Administrator Account, assign the required base permissions to the Service Account
    1. Review the above carefully - if the required permissions are not set, you may encounter permission or other errors when attempting to run workflows or start the Alteryx Service in your Alteryx Server environment.
    2. Note: It is recommended that you have started the Alteryx Service as an admin at least once to generate the folders for the above base permissions - otherwise you may need to create them manually and assign permissions.
  2. Assign all permissions (Modify, Read & Execute, List Folder Contents, Read, Write) for the Service Account to the folder "%programdata%\Alteryx". Make sure to assign the permissions to all subfolders and files.
    1. If you have set a custom directory for the Global Workspace (Alteryx System Settings -> Environment -> Workspace), also add the permissions mentioned above to that folder.
  3. Assign the "Log on as a Service" right to the Service Account.
    1. Select Start on the Windows taskbar.
    2. Search for "gpedit.msc" from the Windows Taskbar
    3. In the Local Group Policy Editor window, select Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
    4. Select Log on as a Service.
    5. In Log on as a service Properties, select Add User or Group.
    6. Use the search dialog to find the Service Account and then click OK.
    7. Click OK to apply the changes.
  4. Add the required binding for the Service URL on the Service Port used
    1. Open a Command Prompt as an Administrator Account
    2. Type the following command, being careful to update the following:
      1. Replace 80 only if you are using a custom Service Port (this is not the same as your Gallery web front-end port!)
      2. Replace "domain\username" with your Service Account's domain and username.
        netsh http add urlacl url=http://*:80/ user=domain\username
    3. If all parameters were entered correctly, you should see the message "URL reservation successfully added". If you received a different message, ensure the values are correct, especially the user account.
  5. Set the Service Account as the "Log On" user for the Alteryx Service
    1. Select Start on the Windows taskbar.
    2. Search for "services.msc" from the Windows Taskbar
    3. Right-click the Alteryx Service and choose Properties
    4. Click the Log On tab.
    5. Click This Account, then set your Service Account as the login user
    6. Type the password for the Service Account in both password fields
    7. Click OK
  6. Review the next sections below for the next component(s).

Any Machine running the Gallery Component - Perform these steps on each machine in the Alteryx Server environment that is running the Gallery component.

Please ensure you read the below steps carefully. There is a slightly different setup/configuration depending on your Gallery Base Address (all versions) and Web API Address (2021.4+) value that you must pay close attention to. If not - the WebHost or Web API process may not start or run successfully. If you change your Gallery configurations to one of the other URLs mentioned, you should update the values based on the section below. You can find the settings for these values to determine which section you should follow under "Gallery -> General -> Base Address and Web API Address" as of this writing. There are also specific additional settings that need to be performed if you are using SAML as your authentication type. You can determine if you are running SAML authentication under "Gallery -> Authentication -> Authentication Type".
image.pngimage.png
  1. If you are running the Base Address and Web API Address as HTTP (non-TLS/SSL):
    1. Open a Command Prompt as an Administrator Account
    2. Type the following command, being careful to update the following:
      1. Replace "domain\username" with your Service Account's domain and username.
      2. Replace 80 with a custom port if your Base Address value contains a custom port value (e.g. http://localhost:8080/gallery).
      3. Replace "gallery" if you are running under another endpoint name (e.g. http://localhost/server).
        netsh http add urlacl url=http://+:80/gallery user=domain\username
    3. If all parameters were entered correctly, you should see the message "URL reservation successfully added". If you received a different message, ensure the values are correct, especially the user account.
    4. (Alteryx Server 2021.4+ Only) Type the following command, being careful to update the following:
      1. Replace "domain\username" with your Service Account's domain and username.
      2. Replace "localhost" with your proper URL if different (e.g. http://gallery.alteryx.com/webapi).
      3. Replace 80 with a custom port if your Web API Address value contains a custom port value (e.g. http://localhost:8080/webapi/).
      4. Replace "webapi" if you are running under another endpoint name (e.g. http://localhost/api/).
        netsh http add urlacl url=http://localhost:80/webapi user=domain\username
    5. If all parameters were entered correctly, you should see the message "URL reservation successfully added". If you received a different message, ensure the values are correct, especially the user account.
    6. If you are using SAML authentication for this Alteryx Server environment, see Step 3 in this section, otherwise continue to the "Start the Alteryx Service!" section.
  2. If you are running the Base Address and Web API Address as HTTPS (TLS/SSL):
    1. Open a Command Prompt as an Administrator Account
    2. Type the following command, being careful to update the following:
      1. Replace "domain\username" with your Service Account's domain and username.
      2. Replace 443 with a custom port if your Base Address value contains a custom port value (e.g. https://localhost:8443/gallery).
      3. Replace "gallery" if you are running under another endpoint name (e.g. https://localhost/server).
        netsh http add urlacl url=https://+:443/gallery user=domain\username
    3. If all parameters were entered correctly, you should see the message "URL reservation successfully added". If you received a different message, ensure the values are correct, especially the user account.
    4. (Alteryx Server 2021.4+ Only) Type the following command, being careful to update the following:
      1. Replace "domain\username" with your Service Account's domain and username.
      2. Replace "localhost" with your proper URL if different (e.g. https://gallery.alteryx.com/webapi).
      3. Replace 443 with a custom port if your Web API Address value contains a custom port value (e.g. https://localhost:8443/webapi/).
      4. Replace "webapi" if you are running under another endpoint name (e.g. https://localhost/api/).
        netsh http add urlacl url=https://localhost:443/webapi user=domain\username
    5. If all parameters were entered correctly, you should see the message "URL reservation successfully added". If you received a different message, ensure the values are correct, especially the user account.
    6. If you are using SAML authentication for this Alteryx Server environment, see Step 4 in this section, otherwise continue to the "Start the Alteryx Service!" section.
  3. If you are running SAML authentication with HTTP (non-TLS/SSL - this section is not applicable for non SAML authentication!)
    1. Open a Command Prompt as an Administrator Account
    2. Type the following command, being careful to update the following:
      1. Replace "domain\username" with your Service Account's domain and username.
      2. Replace "localhost" with your proper URL if different (e.g. http://gallery.alteryx.com/aas).
      3. Replace 80 with a custom port if your Base Address value contains a custom port value (e.g. http://localhost:8080/aas).
        netsh http add urlacl url=http://localhost:80/aas user=domain\username
    3. If all parameters were entered correctly, you should see the message "URL reservation successfully added". If you received a different message, ensure the values are correct, especially the user account.
    4. Continue to the "Start the Alteryx Service!" section.
  4. If you are running SAML authentication with HTTPS (TLS/SSL - this section is not applicable for non SAML authentication!):
    1. Open a Command Prompt as an Administrator Account
    2. Type the following command, being careful to update the following:
      1. Replace "domain\username" with your Service Account's domain and username.
      2. Replace "localhost" with your proper URL if different (e.g. https://gallery.alteryx.com/aas).
      3. Replace 443 with a custom port if your Base Address value contains a custom port value (e.g. https://localhost:8443/aas).
        netsh http add urlacl url=https://localhost:443/aas user=domain\username
    3. If all parameters were entered correctly, you should see the message "URL reservation successfully added". If you received a different message, ensure the values are correct, especially the user account.
    4. Continue to the "Start the Alteryx Service!" section.

Start the Alteryx Service!

Finally, it's now time to start the Alteryx service on your machine(s). Start up the Alteryx Service and review the log files for any errors. Hopefully, if everything went well, your Alteryx Service is now in a "Running" state and the environment is accessible, and your service is now running under a non-admin account!

Test, test, and test again to ensure everything is working in the environment.


Common Issues

  1. Alteryx Service not starting after making the above modifications
    1. Ensure the URLs are correctly bound based on the examples above
    2. Ensure the appropriate permissions were granted to the Service Account and that it has full access
    3. Review the Service and/or Gallery logs for clues!
    4. If all else fails, try running the Alteryx Service as an administrator account temporarily to ensure the service functions with a user with full permissions.


Additional Resources

A few interesting articles from Microsoft on how the ASP.NET functionality works for binding URLs which were used in the creation of this article for those that might be interested: