Change the Run As Service Account

Depending on your environment and data access requirements, you may want or need to change the Run As service account. There are two main scenarios where you change the Run As service account:

  • Replacing the default Run As local account (NetworkService) with a domain account. If you are operating in an environment where a majority of your data sources are authenticated in the context of Active Directory (Windows NT integrated security) then you will need to configure the Run As service account to use a domain account, not the local account (NetworkService).
  • Changing an existing domain Run As service account to a different account.

This topic describes both scenarios and describes how to update the Run As service account password.

The account you use for the Run As service account should not be a member of the Local Administrators or Domain Administrators account. Instead, we recommend using a domain user account that is not an administrator for the Run As service account. Using a domain account that is not a member of these administrator groups is a good security practice and can help avoid access to certain data sources and folders. For information on best practices when creating a Run As service account, see Creating the Run As service account.

Note: Starting in Tableau Server version 2023.3.x, if the Run As service account is configured to use a domain account, administrators must also configure a server allowlist for file access using the tsm configuration set command. The allowlist limits file-based data source access to specified local or shared directory paths. For more information and steps to configure a server allowlist, see Security Hardening Checklist.

Replacing the default Run As local account (NetworkService) with a domain account

If you are going to replace the default NetworkService account with a domain account, we recommend using a dedicated account for the Run As service account. Follow these steps:

  1. Create the Run As service account in Active Directory
  2. Configure Tableau Server to use the Run As service account

Creating the Run As service account

Follow these best practices:

  • It's important to understand how the Run As service account accesses data on behalf of the users in your organisation. In some cases, users may inadvertently access data that their users accounts are not explicitly permissioned for. Before you create a Run As service account, review Data Access with the Run As Service Account.
  • Create a dedicated account in Active Directory for the Tableau Server Run As service account. In other words, don’t use an existing account. By using a dedicated account you can be sure that the data resources that you permission for Tableau Server are only accessible by Tableau Server Run As service account.
  • The Run As service account is used to query users and group membership in Active Directory. By default, the NetworkServices account and default domain users have permission to query Active Directory. Do not restrict read or query permissions for the Run As service account.
  • Do not use an account with any kind of domain administrative permissions. Specifically, when you create an account in Active Directory, create an account in the domain User Group. Do not add the account that you create to any Active Directory security groups that needlessly elevate the permissions for the account.
  • Permission the data sources in your directory for this one account. The account that you’ll use for Run As service account only needs Read access to the appropriate data sources and network shares.
  • If users in your organisation authenticate with smart cards, disable the smart card logon option for the Run As service account.
  • If you have installed Tableau Server on a drive other than the system drive, then you will need to configure the system drive to allow the Run As service account additional permissions. The system drive is the drive where Windows is installed. For example, if you have installed Windows on the C:/ drive, then C:/ is your system drive. If you install Tableau Server on any other drive (D:/, E:/, etc), then you will need to configure permissions for the Run As service account on the system drive. See Required Run As Service Account Settings for more information.

Configuring the Run As service account in Tableau Server

After you have created the Run As service account in Active Directory, configure Tableau Server to use that account.

Use the TSM Web UI to configure the Run As service account for the first time.

To configure the Run As service account

  1. Open TSM in a browser:

    https://<tsm-computer-name>:8850. For more information, see Sign in to Tableau Services Manager Web UI.

  2. Click the Security tab, and then click the Run As Service Account tab.

  3. Select User Account and then enter the user name and password for the service account. Specify the domain name as domain\account, where domain name is the NetBIOS name of the domain where the user resides:

  4. Click Save to verify the user name and password.

  5. When you are finished, click Pending Changes, and then click Apply Changes and Restart.

After you update the Run As service account, Tableau Server will automatically configure permissions on the local computer for the account that you have entered.

Changing an existing domain Run As service account to a different account

To change an existing domain Run As service account to a different account, you must apply permissions to that new account. To apply permissions to your new Run As service account, you must first reset permissions by applying them to the default NetworkService account.

Before you begin, verify that the new account that you will be using for the Run As service account complies with the best practices noted previously in the section, Creating the Run As service account.

This procedure requires you to restart Tableau Server services twice, so run this procedure during off hours.

Use the TSM web interface
  1. Open TSM in a browser:

    https://<tsm-computer-name>:8850. For more information, see Sign in to Tableau Services Manager Web UI.

  2. Click the Security tab, and then click the Run As Service Account tab.

  3. Under User Account, select NT Authority\NetworkService.

  4. Click Save.

  5. When you are finished, click Pending Changes, and then click Apply Changes and Restart.

  6. After the server restarts, open TSM and navigate to the Run As Service Account tab.

  7. Select User Account and then enter the user name and password for the service account. Specify the domain name as domain\account, where domain name is the NetBIOS name of the domain where the user resides:

  8. Click Save to verify the user name and password.

  9. When you are finished, click Pending Changes, and then click Apply Changes and Restart.

  10. Revoke the permissions for the previous account. See Revoke Run As Service Account Permissions.

Use the TSM CLI
  1. Reset the Run As service account to NetworkService. Run the following command:

    tsm configuration set -k service.runas.username -v "NT AUTHORITY\NetworkService"

  2. Run the following command to save this change and restart:

    tsm pending-changes apply

  3. Set the Run As service account to the new account. Run the following commands:

    tsm configuration set -k service.runas.username -v <domain\username>

    tsm configuration set -k service.runas.password -v "<password>"

    Enclose the password with double quotes to ensure special characters in the string are processed correctly. To view the password as it will be stored, run the following command:

    tsm pending-changes list

    The password will be validated with Active Directory. If valid, then the password will be encrypted and saved. TSM will not report success or failure.

  4. Run the following command to save and restart:

    tsm pending-changes apply

    Troubleshooting:

    • Verify that the server has started. If it is in a degraded state, then you may have entered an incorrect password. View the stored password by running the configuration get command. This command will decrypt and display the password in the shell. Run the following command:

      tsm configuration get -k service.runas.password

      If the previous password is displayed, then you have not entered a valid password.

    • Enter the correct password (see Step 3), and then run the following command to save and restart:

      tsm pending-changes apply

  5. Revoke the permissions for the previous account. See Revoke Run As Service Account Permissions.

Updating the Run As service account password

If the Run As service account password has been updated in Active Directory you must update it for Tableau Server. The Run As service account password is encrypted and stored on Tableau Server. For more information, see Manage Server Secrets.

If you are running Tableau Server in a distributed deployment, then you only need to update the password with TSM on the initial node in the cluster. TSM will distribute this configuration to each node automatically.

Use the TSM web interface
  1. Open TSM in a browser:

    https://<tsm-computer-name>:8850. For more information, see Sign in to Tableau Services Manager Web UI.

  2. Click the Security tab, and then click the Run As Service Account tab.

  3. Under User Account, enter the password for the service account.

  4. Click Save to verify the password.

  5. When you are finished, click Pending Changes, and then click Apply Changes and Restart.

Use the TSM CLI
  1. Set the new password. Run the following command:

    tsm configuration set -k service.runas.password -v "<password>"

    Enclose the password with double quotes to ensure special characters in the string are processed correctly. To validate that special characters were escaped correctly, run the following command to view the password as it will be stored:

    tsm pending-changes list

    The password will be validated with Active Directory. If valid, then the password will be encrypted and saved. TSM will not report success or failure.

  2. Run the following command to save and restart:

    tsm pending-changes apply

    Troubleshooting:

    • Verify that the server has started. If it is in a degraded state, then you may have entered an incorrect password. View the stored password by running the configuration get command. This command will decrypt and display the password in the shell. Run the following command:

      tsm configuration get -k service.runas.password

      If the previous password is displayed, then you have not entered a valid password.

    • Enter the correct password (see Step 1), and then run the following command to save and restart:

      tsm pending-changes apply

Troubleshooting: Update the password in the Microsoft Services console

In some cases, you may see service failures after updating the Run As service account password. If so, then you may need to manually update the password for the Tableau Server Services Manager service. Update the password in the Microsoft Services management console.

If you are running Tableau Server in a distributed deployment, then you must perform the following procedure on each node in the cluster.

  1. Stop Tableau Server.

    • To use the TSM CLI, run the following command:

      tsm stop

    • To use the TSM Web UI, on the top-right of the page, click the drop-down list next to the status, and then click Stop Tableau Server:

  2. Open the Services MMC snap-in on the Windows computer that is running Tableau Server.

  3. Double-click the Tableau Server Services Manager service to open the properties page.

  4. On the Tableau Server Services Manager Properties page, click the Log On tab, and then enter the password for the service account.

  5. Click Apply, then click OK.

  6. Restart the Tableau Server Services Manager service by right-clicking on the service name and then clicking Restart.

  7. Start Tableau Server.

    • To use the TSM CLI, run the following command:

      tsm start

    • To use the TSM Web UI, on the top right of the page, click the drop-down list next to the status, and then click Start Tableau Server.

The Run As service account is central to many operations on Tableau Server, especially those that are involved with remote data access. To avoid access errors, review the tasks here and follow the links for those that apply to your scenario.

  • If you are running Tableau Server in an organisation with multiple Active Directory domains, see Domain Trust Requirements for Active Directory Deployments.
  • Enabling Kerberos single sign-on requires additional configuration related to the Run As service account. To enable Kerberos single sign-on with Tableau Server, see Kerberos.
  • Enabling impersonation requires additional configuration related to Run As service account. To deploy and enable impersonation with Microsoft SQL Server, see Impersonate with Embedded SQL Credentials.
  • If you have installed Tableau Server onto the non-system drive, then you will need to manually set some permissions for the Run As service account. See Required Run As Service Account Settings for more information.
  • If you have changed the Run As service account, then we recommend revoking the permissions for the previous account. See Revoke Run As Service Account Permissions.
  • If your organisation uses a forward proxy solution, then you may need to reconfigure the local LAN settings on the Tableau Server with the Run As service account. See Configure a forward proxy server for more information. In this scenario, the Run As service account must also be temporarily configured as the log on account for Tableau Server Administrative Controller for product key operations. See Configure Product Key Operations with Forward Proxy.
  • If you are using the Resource Monitoring Tool in your enterprise, the Run As service account may be used to authenticate and gather hardware information. When updating a Run As account, confirm connectivity between RMT and Tableau Server in the RMT Environment Settings:
    1. Sign in to RMT as an administrator.
    2. Navigate to the Environments page (Admin > Environments).
    3. Click Edit for the environment that was updated.
    4. In the Servers list, confirm that each server shows the Agent Service as Connected. Hover over the Connected status to see a timestamp of the last heartbeat message received.
Thanks for your feedback!Your feedback has been successfully submitted. Thank you!