cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BI Platform Support Tool Issue: SAPHostExec Service Failed To Start

Go to solution
omacoder
Active Contributor

on ‎05-10-2016 7:27 PM

0 Kudos

Initial issue:

SIA fails to start after patching BI 4.2 SP02 to Patch Level 01.

Suggestion from support was to repair the install of BI 4.2 SP02.

After successfully repairing, I rebooted the server.

Now, the SAPHostExec service fails to start.

The errors found in the Event Viewer:

The SAPHostControl service failed to start due to the following error:

The service did not start due to a logon failure.

The SAPHostControl service was unable to log on as .\sapadm with the currently configured password due to the following error:

Logon failure: the user has not been granted the requested logon type at this computer.

Service: SAPHostControl

Domain and account: .\sapadm

This service account does not have the required user right "Log on as a service."

User Action

Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.

If you have already assigned this user right to the service account, and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated with this node might be removing the right.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Toby_Johnston
Advisor
Advisor
‎05-10-2016 9:23 PM
0 Kudos

Hey Brian,

The BI installer alone should never make a policy change to the sapadm account on the server.

Could it be that your domain policy is set to remove the "Log on as a service" from local accounts?  My theory is that when you rebooted the server after doing the repair, upon restart, your domain policy was re-applied to the computer and stripped sapadm of this user right assignment and subsequently caused the SapHostControl service to fail.  


Can you confirm if this is the case (maybe by rebooting the server and see if it breaks again?)

Regards
Toby

Show replies
Show replies
omacoder
Active Contributor
‎05-10-2016 9:42 PM
0 Kudos

Yes- it sounds like you are on track. Response from our admins:

"yes we do strip logon as a service rights for anything not specified by us.  The [ServiceAccount] account has these rights, if they can sub that user."

Can the SAP Host Agent use one of our existing service accounts, rather than having it create it's own user on the servers? Or is this going to get complicated?

Toby_Johnston
Advisor
Advisor
‎05-10-2016 9:55 PM
0 Kudos

Hi Brian,

I think it may work to use a service account.  But you would need to uninstall and reinstall the agent and specify the user using the switch:  -user <domain>\useraccount

I would however recommend instead to create a sapadm domain account and use this for all your SAP Host Agent installs.  See below:

Can I use a  sapadm domain user in Windows ?

Yes!

In some cases it might be useful to configure sapadm as a domain user instead of a local user (for example, if you have multiple hosts with SAP Host Agent on each of them). If SAP Host Agent is already installed, uninstall it and then reinstall it again with the -user option by executing the following command:

saphostexec.exe -install -user <domain>\sapadm


Regards

Toby

omacoder
Active Contributor
‎05-10-2016 10:19 PM
0 Kudos

Ok... you'll have to pardon my ignorance here, but if I ask my server admins to create a domain account named sapadm, I'm afraid they'll come back and ask what the difference is if we create a new one called sapadm or use an existing domain service account that is used to run Tomcat, SIA, etc?

Or are you really advising that the domain service account for the SAPHostAgent should be named sapadm?

Either way it sounds like I will have to reinstall on all of the hosts as they do not want to grant these services to a local user.

Toby_Johnston
Advisor
Advisor
‎05-11-2016 2:38 PM
0 Kudos

Hey Brian,

I've not tried with a user not named sapadm but I think it would work as long as you uninstall and specify this user at agent install time.

Let me know if you face any further troubles.

Regards,

Toby

omacoder
Active Contributor
‎05-12-2016 7:15 PM
0 Kudos

Thanks Toby, it's working now using our own Domain Service Account that we use to run Tomcat and SIA.  Even after multiple server reboots. Looks like I'm good to go again!

Answers (0)

Ask a Question