Spectrum Installation Requirements for Windows
search cancel

Spectrum Installation Requirements for Windows

book

Article ID: 45037

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

Issue:

We are standing up a new Windows Server and running a fresh install of Spectrum. We would like to confirm the requirements for the Service Account that will own the Spectrum Install. Our current production Spectrum Install uses an Administrative account, and we understand this is not a requirement of the Spectrum install. We would like to change this to a non-administrative account. However, when we make the account a non-administrative account the Spectrum Install fails to run. We see the following error:

 

Invalid Username and Password

Error validating the username and password.

The username and password you entered is invalid for <hostname>

 

The Spectrum install will run if we add the Service Account to the "Administrator Group". However, when we remove the Service Account from the "Administrator Group", and it is a member of the "User Group" and "Spectrum Users Group", we are unable to start the "Spectrum Process Daemon" service.

 

We see the same message thrown if we attempt to update the account information used by processd when running the $SPECROOT/lib/SDPM/processd -- install --username <Domain\\User> --password <Password>. This returns the "unable to authenticate ...." and "service refused..." error messages.

 

What are the requirements needed for the Service Account used to run Spectrum?

Environment

Release: SDBSFO99000-10.2-Spectrum-Device Based Suite-Server FOC
Component:

Cause

The cause of the failure is due to the Service Account, used to own the Spectrum install, is not granted permissions to logon interactively to the server. This was confirmed by correlating the failed attempts in the Windows Security Log. There we find when the the failed processd attempts are logged, we see a call made to SRAdmin attempting an Interactive Logon (type 2) using the credentials of the Service Account, which fails with "LOGONUSER: logon failure: the user has not been granted the requested logon type at this computer".

 

Resolution

Sustaining Engineering confirmed that this is an undocumented requirement:

"This is not documented, but this user does logon to the box using LogonUser() passing LOGON32_LOGON_INTERACTIVE."

Sustaining Engineering also recommends not using a Domain Service Account. The Spectrum Owner needs to be a "normal, local, non-admin user account with no domain or network access".

Spectrum uses LSA(Local Security Authority) authentication that allows applications/services to authenticate and logon users on the local system.
It needs interactive mode enabled to authenticate the service through the Install Ticketing System(processd).
 
https://docs.microsoft.com/en-us/windows/win32/secauthn/interactive-authentication

Additional Information

For the other documented prerequisites, please see the Spectrum "Installation and Upgrading" guide:

Powered by Wolken Software