| Author |
Message
|
| dave_r_2 |
 Posted: Sat Dec 11, 2004 12:15 pm Post subject: Issues with MQ authority |
 |
|
Newbie
Joined: 11 Dec 2004
Posts: 2
|
Several users are not able to use MQ series suddenly on their WinXP systems, the following error is inside ithe even viewer. What would cause this to suddenly happen after they were working fine? What is the root cause?
what is the best way to resolve this as we may need to open a PMR.
| Quote: |
Ensure Active Directory access permissions allow user 'musr_mqadmin@in34677' to read group memberships for user 'smithj@initech'. To retrieve group membership information for a domain user, MQ must run with the authority of a domain user.
|
Last edited by dave_r_2 on Mon Dec 13, 2004 4:34 pm; edited 1 time in total |
|
| Back to top |
|
 |
| csmith28 |
| Posted: Sat Dec 11, 2004 1:17 pm Post subject: |
|
|
Grand Master
Joined: 15 Jul 2003
Posts: 1196
Location: Arizona
|
This doesn't appear to be an MQ Problem. More like a access permissions problem with your domain or the setting for the users.
Has your security group been messing around with the settings on your domain lately?
_________________
Yes, I am an agent of Satan but my duties are largely ceremonial. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Dec 11, 2004 2:33 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| dave_r_2 wrote: |
| Ensure Active Directory access permissions allow user 'musr_mqadmin@in34677' to read group memberships for user 'smithj@initech'. To retrieve group membership information for a domain user, MQ must run with the authority of a domain user. |
| csmith28 wrote: |
| Has your security group been messing around with the settings on your domain lately? |
It definitely looks like it.
Make your security team responsible for fixing this one and keeping harping on them until it works.
Enjoy  |
|
| Back to top |
|
|
| JasonE |
| Posted: Sat Dec 11, 2004 3:11 pm Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
| Look up delegate authority in the Windows quick begginnings - You need to ensure the userid MQ runs under can query group membership on the domain controller and to do this it needs to be a domain userid with delegate authority (or the delegate authority can be given to everyone) |
|
| Back to top |
|
|
| csmith28 |
| Posted: Sun Dec 12, 2004 4:35 pm Post subject: |
|
|
Grand Master
Joined: 15 Jul 2003
Posts: 1196
Location: Arizona
|
| fjb_saper wrote: |
It definitely looks like it.
Make your security team responsible for fixing this one and keeping harping on them until it works.
Enjoy |
Well yeah... 
If everyone was fat dumb and happy, goin about their business then this started to...
| dave_r_2 wrote: |
suddenly happen after they were working fine?
|
and you haven't made any changes to the MQManager in Question or the server it is hosted on then IMHO there is not much else Dave can do.
Oh and um... Dave? um....
Would you mind so much changing the Subject to something more appropriate like....
Um I dunno..... 
"Big Problems with the NT Domain Security Group"
or
"Users suddenly unable to access MQ Series"
or
"Security group messed up MQ Access"
Then looking forward could you be a little more careful. 
_________________
Yes, I am an agent of Satan but my duties are largely ceremonial. |
|
| Back to top |
|
|
| hguapluas |
| Posted: Mon Dec 13, 2004 9:06 am Post subject: |
|
|
Centurion
Joined: 05 Aug 2004
Posts: 105
Location: San Diego
|
Have any of your computers/servers changed domain membership? Going from domain to workgroup can cause this too.
Has someone played with the group membership of your account? Maybe removed you (them) from administrator or mqm group?
As mentioned above, check with your security team to see if they have changed the application or domain server security policies. This can have an impact. Also check to see how frequently they have set the domain policies to do a forced refresh on downstream clients/servers. If you make a change and it works and then a few hours to a day later, it stops again, it is definitely tied into the security policies.
Check passwords on local vs domain.
This is a security issue in your Windows environment that is impacting MQ.
You could try running the Prepare WebSphere MQ Wizard again on these boxes to reset authorization and see if that helps. But this may not necessarily fix what caused this problem in the first place. |
|
| Back to top |
|
|
| WannaBeInAParker |
| Posted: Mon Dec 13, 2004 3:38 pm Post subject: |
|
|
Voyager
Joined: 09 Dec 2003
Posts: 81
|
We hit this issue a couple months back after a security hole was filled when a Windows Security patch was applied. We were using a local id to query domain level access and ignored the doc that stated you need to run as a domain level ID. Why would we do this...because it worked. After a security patch (weekly event) was applied to the windows environment, the local ID could no longer query domain level access. We were in panic mode and had to change the IBM MQSeries Services and dcomcnfg to run as a domain level ID, which had to be created as an emergency.
I will track down the actual patch, if needed.
We learned a valuable lesson...FTFM.
-WannaBe-
_________________
-WannaBe- |
|
| Back to top |
|
|
| dave_r_2 |
| Posted: Mon Dec 13, 2004 4:36 pm Post subject: |
|
|
Newbie
Joined: 11 Dec 2004
Posts: 2
|
that would be great of you could track down the patch, we are all scratching out heads.
we only have one group set up the MQM group. within that group is
MUSR_MQADMIN and the domain is for the user initech\SMITHJ. |
|
| Back to top |
|
|
| WannaBeInAParker |
| Posted: Mon Dec 13, 2004 5:37 pm Post subject: |
|
|
Voyager
Joined: 09 Dec 2003
Posts: 81
|
Still looking...
In the meantime, I believe that you need to create a initech\MUSR_MQADMIN id. <EDIT> Add the initech\MUSR_MQADMIN id to the local MQM group </EDIT> Stop the queue manager and the IBM MQSeries service. Change the IBM MQSeries Services to run as this ID and then run dcomcnfg, change the IBM MQSeries Service under dcomcnfg to run as initech\MUSR_MQADMIN. Start IBM MQSeries Service, start queue manager.
The MUSR_MQADMIN id is now a domain level ID that should have the authority to query the domain for User ID information.
I am not a Windows Security admin, so I would defer to the suggestion earlier on creating the domain level MUSR_MQADMIN, I believe delegate control was mentioned.
_________________
-WannaBe- |
|
| Back to top |
|
|
|
|
