Windows service account for Planning Analytics

Planning Analytics 2.0.8
Microsoft Windows 2016 server

What is the requirements for the windows service account to run TM1 servers?

Solution (from IBM web):

User accounts for running TM1 services on Windows

The account must have the following privileges on the local computer:

Act as part of the operating system

Bypass traverse checking

Increase quotas (Adjust memory quotas for a process)

Replace a process level token

Log on as a service

Have read and write privileges on the Windows Registry item

If you use “local system” you will not be able to use Kerberos, or have access to read csv files from external file shares.

In integrated login mode (security mode 3), TM1 authentication compares the user’s domain-qualified Microsoft Windows login name to the contents of the UniqueID element of the }ClientProperties cube.

If there is a match, the user is authenticated to TM1. If Active Directory groups have been imported into the TM1 Server, Active Directory group memberships are honored.

If no match is found, TM1 displays an error message stating that the client name does not exist. TM1 Server does not prompt for login information.

Users who want to access TM1 data in a server that is configured for integrated login must authenticate to Microsoft Windows first and then use TM1 clients to access the TM1 Server.


  1. Run ETLDAP and import the user and group information from your LDAP server, as described in Running ETLDAP. Or update the }ClientProperties cube with other TI scripts.
  2. Shut down the TM1 Server.
  3. Edit the following parameters in the tm1s.cfg file located in your TM1 Server data directory:
    • Set the IntegratedSecurityMode parameter to 3.
    • Set the SecurityPackageName parameter to the security protocol you use for integrated login.

    In the following example, the server is configured to use Kerberos.

  4. Save and close the tm1s.cfg file.
  5. Restart the TM1 Server.
  6. Optional: Configure the TM1 clients to use integrated login by setting the Use Integrated Login option in the associated user interface.

Follow the directions from IBM knowledge articles for most accurate information.

More Information:

Enabling Cognos single signon to use Kerberos authentication with constrained delegation

You must configure the constrained delegation in the Active Directory Users and Computers administration tool. On the Delegation tab for all users (IISUser, CognosCMUser, and CognosATCUser), you must select Trust this user for delegation to specified services only and Use Kerberos only to use Kerberos with constrained delegation. Select Trust this user for delegation to specified services only and Use any authentication protocol if you are using the S4U Kerberos extension.