| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| AMQ8074W:Authorization failed as SID doesn't match entity |
« View previous topic :: View next topic » |
| Author |
Message
|
| dakoroni |
 Posted: Wed Jan 27, 2021 7:57 am Post subject: AMQ8074W:Authorization failed as SID doesn't match entity |
 |
|
Acolyte
Joined: 10 Jan 2020
Posts: 50
|
Hello MQ Security Users,
Any advise on the following will be much appreciated:
When I am trying to connect to remote Queue Manager (QM:MQNBGQA) at AD Domain Central from Windows client using IBM MQ Explorer tool, with Domain userID e63254@CENTRAL or userID e63254@BANK (Central, Bank are trusted domains), the following error msg prompts on MQ Explorer:
---
Access not permitted. You are not authorized to perform this operation. (AMQ4036)
Severity: 10 (Warning)
Explanation: The queue manager security mechanism has indicated that the userid associated with this request is not authorized to access the object.
---
Looking into the target MQ Server error log, the following exceptions are listed:
---
27/1/2021 17:17:14 - Process(6876.2 User(MQNBGQA) Program(amqzlaa0.exe)
Host(V000010255) Installation(MQNBGQA)
VRMF(9.1.5.0) QMgr(MQNBGQA)
Time(2021-01-27T15:17:14.486Z)
RemoteHost(10.1.100.155)
CommentInsert1(S-1-5-21-816530017-2240465312-872180193-23427)
CommentInsert2(e63254@centr)
AMQ8074W: Authorization failed as the SID
'S-1-5-21-816530017-2240465312-872180193-23427' does not match the entity 'e63254@centr'.
EXPLANATION:
The Object Authority Manager received inconsistent data - the supplied SID does not match that of the supplied entity information.
ACTION:
Ensure that the application is supplying valid entity and SID information.
------
27/1/2021 17:16:42 - Process(6876.27) User(MQNBGQA) Program(amqzlaa0.exe)
Host(V000010255) Installation(MQNBGQA)
VRMF(9.1.5.0) QMgr(MQNBGQA)
Time(2021-01-27T15:16:42.103Z)
RemoteHost(10.1.100.155)
CommentInsert1(S-1-5-21-783752929-4063248335-57074302-1354159)
CommentInsert2(e63254@bank)
AMQ8074W: Authorization failed as the SID
'S-1-5-21-783752929-4063248335-57074302-1354159' does not match the entity 'e63254@bank'.
EXPLANATION:
The Object Authority Manager received inconsistent data - the supplied SID does not match that of the supplied entity information.
ACTION:
Ensure that the application is supplying valid entity and SID information.
----
Both principals (Domain UIDs) are included in QM access list with proper authroizations and used to access QM objects without any issues before (previous days).
FYI, there are also channel rules enabled for the principals.
(i.e. SYSTEM.ADMIN.SVRCONN -> ADDRESS MAP FOR E63254@CENTRAL
SYSTEM.AUTO.SVRCONN -> ADDRESS MAP FOR E63254@CENTRAL)
Btw, where this SID entry "e63254@centr"Â comes from?Â
It seems to me that there might be an SID corruption in OAM..
If this is the case, how the SID can be fixed and be recovered?
What might be the problem? Any workarounds?
Thanks in advance for your time and support,
Cheers Nick. |
|
| Back to top |
|
 |
| gbaddeley |
| Posted: Wed Jan 27, 2021 3:41 pm Post subject: Re: AMQ8074W:Authorization failed as SID doesn't match entit |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
I suspect that the insert value e63254@centr is being truncated to 12 characters for display.
MQ stores SIDs in OAM, it does not store the actual Windows principal user.
Was the user recreated in AD at some stage, and its SID changed?
Refer to https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q013550_.htm
On Windows, from IBM MQ Version 8.0, you can delete the OAM entries corresponding to a particular Windows user account at any time using the -u SID parameter of setmqaut.
_________________
Glenn |
|
| Back to top |
|
|
| dakoroni |
| Posted: Fri Jan 29, 2021 8:02 am Post subject: AMQ8074W:Authorization failed as SID doesn't match entity |
|
|
Acolyte
Joined: 10 Jan 2020
Posts: 50
|
Thanks for your tip.
I have executed the following commands (cmd prompt) on QM: MQNBGQA to verify my SID:
D:\>whoami
central\e63254
D:\>whoami /user
USER INFORMATION
----------------
User Name SID
============== =============================================
central\e63254 S-1-5-21-816530017-2240465312-872180193-23427
Also run setmqaut -u SID to remove "problematic" SID from ΟΑΜ entries:
D:\>setmqaut -m MQNBGQA -t qmgr -u S-1-5-21-816530017-2240465312-872180193-23427 -remove
Then restart the QM and add the e63254@central user again (since it has been removed), but the problem still remains.
FYI, I am capable of accessing other Queue Managers in the CENTRAL domain from the same MQ client, as well as, a test Queue Manager on the same machine, which makes me suspicious about specific Queue Manager's corruption.
I am afraid that I have to delete & restore (via runmqsc) QM: MQNBGQA using the "last known good" mqsc backup (taken via dmpmqcfg).
If there is any other option you can think of, pls let me know.
Cheers Nick. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Sun Jan 31, 2021 2:20 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
I suggest raising a service request with IBM.
MQ trace may also show what MQ was doing in the lead up to the error.
_________________
Glenn |
|
| Back to top |
|
|
| dakoroni |
| Posted: Mon Feb 01, 2021 2:34 am Post subject: AMQ8074W:Authorization failed as SID doesn't match entity |
|
|
Acolyte
Joined: 10 Jan 2020
Posts: 50
|
It seems to me also, that further investigation should be done in the context of PMR ticket.
Thanks for the tip. |
|
| Back to top |
|
|
| kaseidu |
| Posted: Tue Mar 08, 2022 3:29 am Post subject: |
|
|
Newbie
Joined: 08 Mar 2022
Posts: 1
|
Hi.
I think this issue will match with an existing new APAR IT33223. The APAR is still opened and not available on the web.
To confirm the APAR matches, the workaround is to connect without providing the domain name.
IE. e63254@centr -> e63254 |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
