| Author |
Message
|
| lifeng |
 Posted: Sun Mar 09, 2008 6:07 pm Post subject: 2063 MQRC_SECURITY_ERROR on ASP.Net/IIS 6 system |
 |
|
Apprentice
Joined: 11 Jan 2008
Posts: 46
|
Hi there,
I have an ASP.Net based app that access MQ through API. It is developed on Windows 2000 system. It works fine until we deploy it onto Windows 2003 server (which is our target production server).
We are now getting 2063 MQRC_SECURITY_ERROR on the first connection attempt. Some resources say that this is due to the default "NT AUTHORITY" domain of the user account (as in this article http://www-1.ibm.com/support/docview.wss?uid=swg21195102) and it provides two workarounds. We tried using the impersonation approach:
<identity impersonate="true" userName="127.0.0.1\testuser" password= "mypassword" />
I also added this user account to my system. But it didn't help. I still get exactly the same error.
What else could I do wrong?
Thanks
Lifeng |
|
| Back to top |
|
 |
| Gaya3 |
| Posted: Sun Mar 09, 2008 8:16 pm Post subject: |
|
|
Jedi
Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US
|
|
| Back to top |
|
|
| lifeng |
| Posted: Mon Mar 10, 2008 1:55 pm Post subject: |
|
|
Apprentice
Joined: 11 Jan 2008
Posts: 46
|
OK, this seems to be a tough one, at least for me... 
I tried both options recommended by http://www-1.ibm.com/support/docview.wss?uid=swg21195102
I also tried approach described in http://www.mqseries.net/phpBB2/viewtopic.php?t=42230&highlight=mqrcsecurityerror
In both cases, I tried assigning the user account (either the default NT AUTHORITY\NETWORK SERVICE or the new user account I created) to the mqm group. Unfortunately, none of these seem to help. I still get the same MQRC_SECURITY_ERROR back.
I also noticed though, when I monitor the w3wp process using Process Explorer, the user account the process running under still appears to be the default NETWORK SERVICE even though I applied the impersonation to use a different one. But the NETWORK SERVICE user does show as a member of mqm group.
Could it be that, due to some configuration that I did wrong, the mqm group doesn't have enough permission for connecting to queue manager? Is there a way to check that?
I am almost running out of ideas.
Any body could tell me what else I may do wrong?
Thanks
Lifeng |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Mar 11, 2008 3:35 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| lifeng wrote: |
I also noticed though, when I monitor the w3wp process using Process Explorer, the user account the process running under still appears to be the default NETWORK SERVICE even though I applied the impersonation to use a different one. But the NETWORK SERVICE user does show as a member of mqm group.
|
How about setting the authorizations needed for the network service users or group?
Did you check the DCOM user set up for MQ?
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| lifeng |
| Posted: Tue Mar 11, 2008 7:17 am Post subject: |
|
|
Apprentice
Joined: 11 Jan 2008
Posts: 46
|
| I have NT AUTHORITY\NETWORK SERVICE to the mqm group. And in DCOM I checked that mqm has every access permission with MQ, and for Identity I set it to launching user, the same as the setting worked for me on Windows 2000/IIS5... |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Mar 11, 2008 7:21 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Did you restart the computer after adding the NETWORK SERVICE user to the mqm group?
This will be necessary.
Also, it is entirely the wrong thing to do to put this user in the mqm group.
The impersonate option is the correct one - you likely did not complete all of the necessary steps - including restarting the machine - to get this to succeed properly.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| lifeng |
| Posted: Tue Mar 11, 2008 8:03 am Post subject: |
|
|
Apprentice
Joined: 11 Jan 2008
Posts: 46
|
Thanks jefflowrey,
I know adding NETWORK SERVICE to mqm is bad. I just want to have everything wide open for now so that I can get something to work on IIS6, anything, before coming back and tight it up security wise.
Yes, I did reboot the computer several times. Actually, I always reboot after each new config change I make.
As far as impersonate goes, I tried something like <identity impersonate="true" userName="127.0.0.1\qmuser" password= "qmuser" />, after adding qmuser to my system. I even added qmuser to mqm group as well. But it didn't make difference either.
The only thing I am not sure is, after I did the impersonate config change and re-run the app, I still see (from Process Explorer) that w2wp running from the app pool runs as NETWORK SERVICE, instead of qmuser. |
|
| Back to top |
|
|
| lifeng |
| Posted: Tue Mar 11, 2008 9:43 am Post subject: |
|
|
Apprentice
Joined: 11 Jan 2008
Posts: 46
|
Now I am testing this in a little different way. Since I have a win 2000 machine that has both app code and MQ on it and it works, and I also have a Win2003 machine that has the same on it but doesn't work, now I am trying to run my app from 2000 box to connect to MQ on 2003. What I got this time is also an error but a differenct one: 2035, MQRC_NOT_AUTHORIZED. What my code uses for connection is the following:
QMGR Host name: name-of-my-2003-box
port: 1414
channel: SYSTEM.DEF.SVRCONN
I think this might have something to do with granting a remote user connection on the MQ server but don't know what and how. When I connect this way, what user id does the user connection appear to the server? How do I setup the permission for this kind of connection?
Thanks
Lifeng |
|
| Back to top |
|
|
|
|
