Author |
Message
|
BBM |
Posted: Mon Jan 18, 2010 7:05 pm Post subject: Confusing local installs |
|
|
Master
Joined: 10 Nov 2005 Posts: 217 Location: London, UK
|
Hi,
I have a number of users all running WMQ 6.x or 7.x locally on their Windows XP workstations.
The workstations are all part of the domain and they logged in as domain users. MQ is running under the MUSR_MQADMIN account happily and is not using a domain account to query group membership.
This confuses me since I cannot do the same on my workstation, I thought when a machine was part of a domain MQ needs to run under a domain account or is this wrong?
Thanks
BBM |
|
Back to top |
|
 |
Vitor |
Posted: Mon Jan 18, 2010 7:34 pm Post subject: Re: Confusing local installs |
|
|
 Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
BBM wrote: |
I thought when a machine was part of a domain MQ needs to run under a domain account or is this wrong? |
Typically (and you'll find multiple discussion of this point in here) WMQ needs to run as a local account or you get authentication problems. Domain administrators get added to the local group. _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
 |
BBM |
Posted: Mon Jan 18, 2010 7:46 pm Post subject: |
|
|
Master
Joined: 10 Nov 2005 Posts: 217 Location: London, UK
|
I thought it was the other way around, the manual says that MQ needs to run as a special domain account so it can authenticate domain users. |
|
Back to top |
|
 |
mvic |
Posted: Tue Jan 19, 2010 1:24 am Post subject: |
|
|
 Jedi
Joined: 09 Mar 2004 Posts: 2080
|
|
Back to top |
|
 |
mqjeff |
Posted: Tue Jan 19, 2010 5:09 am Post subject: Re: Confusing local installs |
|
|
Grand Master
Joined: 25 Jun 2008 Posts: 17447
|
Vitor wrote: |
BBM wrote: |
I thought when a machine was part of a domain MQ needs to run under a domain account or is this wrong? |
Typically (and you'll find multiple discussion of this point in here) WMQ needs to run as a local account or you get authentication problems. Domain administrators get added to the local group. |
I've never seen this, actually, despite all of the discussion here.
But the real question is - what security registry is MQ talking to? If it's running as a local user, it's almost certainly talking to the local security registry, and has permissions to do so.
But if you put a domain group in a local group, then it needs privileges to query the domain registry to find out who's in the domain group. This usually (for very *large* values of usually) requires running MQ as a domain user. But then you have to also make sure the domain user is authorized sufficiently on the local registry. |
|
Back to top |
|
 |
BBM |
Posted: Wed Jan 20, 2010 2:44 am Post subject: |
|
|
Master
Joined: 10 Nov 2005 Posts: 217 Location: London, UK
|
Hi,
Thanks for the replies. By 'I cannot do the same on my workstation' I mean I cannot replicate their setup. ie. When I install v6.x on my XP workstation it *needs* a domain account to run under otherwise I cannot start queue managers create objects etc. The error messages I get are all related to security (2035's) etc. using dcomcnfg to alter the MQ account to a domain account makes the issue go away.
But these other workstations seem to be working just fine with a domain user logged in but MQ running under the local account MUSR_MQADMIN - which goes against not only the manual but every other MQ for Windows setup I have seen... unless I'm being dumb here (a distinct possibility)..
The issue for me is that the company are against using domain accounts for local apps for various technical and non-technical reasons.
mqjeff you make a good point about the security registries - I will investigate whether they have ever had 'domain mqm' as a member of mqm to start with, if not then this may be the issue...
Thanks again for the replies...
bbm |
|
Back to top |
|
 |
|