UI flows run failure: Could not start UI flows due to security policy

Applies to: Dynamics CRM

Symptoms


  1. When running a Flow that contains a UI flow, it fails with the following error:

    "Could not connect to UI flows running on your machine. Please make sure that UI flows is installed and running." even though the target device has UI flows installed.

  2. On restart (e.g. device reboot), the Windows service "uiflowservice" fails to restart with the following error in the event viewer in Windows Logs\System with event ID 7041:

    "This service account does not have the required user right "Log on as a service.""

    UIFlowService restart fail event viewer

     

  3. When trying to start the uiflowservice manually, the start fails with the message:

    "Windows could not start the UIFlowService service on Local Computer. Error 1069: The service did not start due to a logon failure."

    UIFlowService manual start fail

Cause


The UI flow service (uiflowservice) is not running on the target machine because the account used by the service is not granted "Log on as a service" authorization, either by a manual configuration or by a domain group policy.

Resolution


Target device

  1. Make sure the UI flow service is running in the local service on the target machine.
    UIFlowService not running

    UIFlowService running
  2. Ensure that either the UI flow service account "NT SERVICE\UIFlowService" or the general service account "NT SERVICE\ALL SERVICES" is present in the "Log on as a service" policy of the Local Security Policy settings.

    UIFlowService in log on as a service local

    If none of them is present and cannot be added in the local "Log on as a service" policy, one of them will need to be added in the domain group policies.

    Go to Domain joined server.

    UIFlow not in log on as a service local

    This indicates that the policy is set as a group policy on the domain controller:

    UIFlowService not in log on as a service policy local

  3. Ensure that neither the service account "NT SERVICE\UIFlowService" nor the general service account "NT SERVICE\ALL SERVICES" are present in the "Deny log on as a service" policy of the Local Security Policy settings.

    UIFlowService deny log on as a service local empty

    If they cannot be removed from the local "Deny log on as a service" policy, they will need to be removed from the domain group policies.

    Go to Domain joined server

    UIFlowService deny log on as a service

    This indicates that the policy is set as a group policy on the domain controller:

    UIFlowService deny log on as a service policy

     

Domain joined server

If your server is domain joined and either "Log on as a service" or "Deny log on as a service" policy is managed by the domain, look at the following steps on the domain controller. You might need to contact your domain administrator for the following steps:

  1. Ensure that either the UI flow service account "NT SERVICE\UIFlowService" or the general service account "NT SERVICE\ALL SERVICES" is present in the "Log on as a service" policy of the Group Security Policy settings.

    The virtual account used by the UI flow service, "NT SERVICE\UIFlowService" is created during the installation of UI flows (when the UI flow service is installed) . If it is not present in the domain, follow this procedure for creating it on the domain controller:

    1. Install UI flows on the domain controller

    2. The installation does not need to succeed, the virtual account will be created in the domain even if you get to an error condition.
      If there is an error, check that the account "NT SERVICE\UIFlowService" has all the access required on domain controller and target server policies before cancelling or aborting the installation.

    3. Now that the "NT SERVICE\UIFlowService" account is available in the domain it can be added to the group policy settings and will be visible in the domain joined servers.

    UI flow service with its virtual account as installed on domain controller.

    UIFlowService installed domain controller

    Add "NT SERVICE\UIFlowService" to the domain group "Log on as a service" policy

    UIFlowService add to log on as a service group

    UIFlowService add to log on as a service group policy

    After making sure the "NT SERVICE\UIFlowService" account is present in the appropriate group policies you may uninstall UI flows from the domain controller, the service is only needed on the target machine.

  2. Ensure that neither the UI flow service account "NT SERVICE\UIFlowService" nor the general service account "NT SERVICE\ALL SERVICES" are present in the "Deny log on as a service" policy of Group Security Policy settings.

    If the account "NT SERVICE\UIFlowService" or the account "NT SERVICE\ALL SERVICES" are in the "Deny log on as a service" policy, then the domain group policy needs to be edited.

    UIFlowService check deny log on as a service group

    UIFlowService check deny log on as a service group policy