We are standing up a new Windows Server and running a fresh install of Spectrum. We would like to confirm the requirements for the Service Account that will own the Spectrum Install. Our current production Spectrum Install uses an Administrative account, and we understand this is not a requirement of the Spectrum install. We would like to change this to a non-administrative account. However, when we make the account a non-administrative account the Spectrum Install fails to run. We see the following error:
Invalid Username and Password
Error validating the username and password.
The username and password you entered is invalid for <hostname>
The Spectrum install will run if we add the Service Account to the "Administrator Group". However, when we remove the Service Account from the "Administrator Group", and it is a member of the "User Group" and "Spectrum Users Group", we are unable to start the "Spectrum Process Daemon" service.
We see the same message thrown if we attempt to update the account information used by processd when running the $SPECROOT/lib/SDPM/processd -- install --username <Domain\\User> --password <Password>. This returns the "unable to authenticate ...." and "service refused..." error messages.
What are the requirements needed for the Service Account used to run Spectrum?
Release: SDBSFO99000-10.2-Spectrum-Device Based Suite-Server FOC
The cause of the failure is due to the Service Account, used to own the Spectrum install, is not granted permissions to logon interactively to the server. This was confirmed by correlating the failed attempts in the Windows Security Log. There we find when the the failed processd attempts are logged, we see a call made to SRAdmin attempting an Interactive Logon (type 2) using the credentials of the Service Account, which fails with "LOGONUSER: logon failure: the user has not been granted the requested logon type at this computer".
Sustaining Engineering confirmed that this is an undocumented requirement:
"This is not documented, but this user does logon to the box using LogonUser() passing LOGON32_LOGON_INTERACTIVE."
Sustaining Engineering also recommends not using a Domain Service Account. The Spectrum Owner needs to be a "normal, local, non-admin user account with no domain or network access".