SSAS 2012 in a hardened windows 2012 environment

  • Article

All the specific details are not exactly clear. But if you harden your windows 2012 server in such a way that the Users and Everyone local Windows groups no longer have the User Right :

Bypass traverse checking
(SeChangeNotifyPrivilege)

Then it can be that you might get one or both of the following problems:

a) If you are running windows 2012 in Core (no windows GUI enabled) mode and the SSAS service account doesn't have Administrative privileges

then SSAS service will not start. There is no error.

b) Even if the SSAS service account does have Administrative privileges then processing might fail when the SSAS service tries to make an impersonated call through the SQL Server Native Client or SQL Server OLEDB drivers.

You may see an Access Denied request if you use Process Monitor at:

HKLM\SOFTWARE\Microsoft\MSSQLServer\Client\SNI11.0

You may get this error reported during the processing:

OLE DB error: OLE DB or ODBC
error: A network-related or instance-specific error has occurred while
establishing a connection to SQL Server. Server is not found or not accessible.
Check if instance name is correct and if SQL Server is configured to allow
remote connections. For more information see SQL Server Books Online.; 08001;
Client unable to establish connection; 08001; Encryption not supported on the
client.; 08001.

If you reinstall the SQL Native Client driver then it might be that the processing works again until the next restart of the Windows Server.

The problem is not thought to be related to the needs of SSAS service but rather the needs of the driver and the impersonated account.

This is just one situation which might result in those problems, it will not resolve all such situations.

I note that the SQL Server engine documentation indicates that this right is required :

https://msdn.microsoft.com/en-us/library/ms143504(v=sql.110).aspx

The following information was also reviewed:

https://technet.microsoft.com/en-us/library/dn221950.aspx

https://windowsitpro.com/systems-management/how-use-bypass-traverse-checking-user-right