ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » RESOLVED: Access Not Authorized. You are Not Authorized.

Post new topic  Reply to topic Goto page 1, 2  Next
 RESOLVED: Access Not Authorized. You are Not Authorized. « View previous topic :: View next topic » 
Author Message
paulgroo
PostPosted: Wed Nov 01, 2006 4:04 am    Post subject: RESOLVED: Access Not Authorized. You are Not Authorized. Reply with quote

Centurion

Joined: 07 Jul 2005
Posts: 138
Location: Ireland

Hi everyone. I've found a few other posts that have a similar problem to the one having, but don't quite hit the nail on the head. So here goes...

I've installed MQ 5.3 onto a Windows 2003 server. When I log in locally with an account with admin privileges everything is fine. I can see the queue manager, stop and start it, see all the queues/channels, etc.

However, when I log in with a domain account (which has been added to the local administrators and mqm groups) I can see the queue manager but it won't allow me to see the queues and channels. When I choose 'connect' in the MQ Explorer window I get a "Access Not Authorized. You are Not Authorized to perform this operation. (AMQ4036)"
When I check in the AMQERR logs I can see a number errors:
AMQ7227: WebSphere MQ encountered the following network error: The RPC server is unavailable.

I've tried a number of things like adding the groups explicitly in the Dcomcnfg but still the same problem.

Please help, this is beginning to effect my mojo in a bad way.


Last edited by paulgroo on Mon Nov 06, 2006 9:16 am; edited 1 time in total
Back to top
View user's profile Send private message MSN Messenger
jefflowrey
PostPosted: Wed Nov 01, 2006 4:15 am    Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981

Did you run refresh security after changing the memberhship of mqm?

Did you configure dcomcfg (or run the prepare mq wizard) to use a domain account that has proper priviledges to query group membership on the domain?

Are you trying to authorize embedded groups in the mqm group?
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
paulgroo
PostPosted: Wed Nov 01, 2006 4:22 am    Post subject: Reply with quote

Centurion

Joined: 07 Jul 2005
Posts: 138
Location: Ireland

Hi Jeff,

Thanks for your reply! I've put my answers to your questions below:

Did you run refresh security after changing the memberhship of mqm?
Yes, I've run the refresh command after each change to the mqm group.

Did you configure dcomcfg (or run the prepare mq wizard) to use a domain account that has proper priviledges to query group membership on the domain?
Yes, the users that have been added into dcomcnfg are domain admin users.
Should I use the MQ wizard instead?

Are you trying to authorize embedded groups in the mqm group?
No, there are no groups within the mqm group, only users (local and domain) are listed.
Back to top
View user's profile Send private message MSN Messenger
jefflowrey
PostPosted: Wed Nov 01, 2006 4:40 am    Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981

I guess I'm confused when you say "users were added to dcomcfg".

The only purpose I'm aware of for using dcomcfg with MQ is to set what user the actual MQ services (like the OAM) run as, as opposed to whatever service the MQ Windows Service starts as (which is set in the Services control panel and is usually "Local system"). This is only a single user, and is the user that will be presented to the domain when MQ tries to find out if a domain user is valid.

I'm sure you've reviewed http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=/com.ibm.mq.amqtac.doc/cmqsa9.htm
but I'm posting it for completeness and "posterity".

Also, are you trying to authorize against the local mqm group or the domain mqm group?
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
paulgroo
PostPosted: Wed Nov 01, 2006 4:55 am    Post subject: Reply with quote

Centurion

Joined: 07 Jul 2005
Posts: 138
Location: Ireland

Sorry, I should have been clearer about the dcomcnfg stuff. Currently the "user account you want to run this application" is MUSR_MQADMIN, but under the Security tab there are three options for allow users to Launch and activate permission, Access Permissions and Configuration Permissions. I've added two domain accounts into this three areas, although it doesnt seem to make much of a difference.

When you said "This is only a single user, and is the user that will be presented to the domain when MQ tries to find out if a domain user is valid",
do you mean, the MUSR_MQADMIN user should be defined as a domain user also? (I'm sorry, I think I'm getting a little confused about that).

I'm going to check with one of the Sys Admins to make sure they've enabled the Allow: read Group Membership, for any of domain users that are trying to use the system.
Back to top
View user's profile Send private message MSN Messenger
jefflowrey
PostPosted: Wed Nov 01, 2006 5:10 am    Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981

Okay. I see what you mean about other users in dcomcfg.

That won't apply, I think. When a user tries to connect to MQ, using whatever mechanism, that user is validated by the OAM (running as the MQ service user) and not through dcomcfg.

MUSR_MQADMIN is the service id, all of the MQ services are going to run under that user.

Given everything else you've said, it looks like it's either an error connecting to the domain controller or a permissions error for MUSR_MQADMIN on the domain. Make sure both Read Group Membership and Read Group MembershipSAM are granted.

The "RPC Server" that the error message is complaining about is the domain controller, basically.
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
paulgroo
PostPosted: Wed Nov 01, 2006 5:13 am    Post subject: Reply with quote

Centurion

Joined: 07 Jul 2005
Posts: 138
Location: Ireland

I'll have a look around at a few of the permissions on groups/accounts on the domain.
thanks Jeff!
Back to top
View user's profile Send private message MSN Messenger
exerk
PostPosted: Thu Nov 02, 2006 5:59 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Forgive me for asking, but was WMQ installed in Active Directory or local 'mode'?

The reason I'm asking is I was involved in testing AD/non-AD installation of WMQ at the installation where I work, and found that:

1. If installed in AD mode, local accounts cannot authenticate via the Domain Controller and therefore receive 'Not Authorised' errors.

2. If installed in local mode, AD accounts cannot authenticate with the local OAM and therefore receive 'Not Authorised' errors.

We've frequently found that the problems we have is that WMQ is installed in 'local' mode and operators log on using their domain accounts.

Or am I barking up the wrong tree?[/list]
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
paulgroo
PostPosted: Thu Nov 02, 2006 6:22 am    Post subject: Reply with quote

Centurion

Joined: 07 Jul 2005
Posts: 138
Location: Ireland

Hi there!
Yeah, that seems to be what's happening alright. I tried installing the software under my domain account to see if it would make a difference but we're just coming up against the same problems you've mentioned.
I think I may have gotten around it though, by explicitly adding the users domain account into the local administrators group (and local mqm group)
Back to top
View user's profile Send private message MSN Messenger
paulgroo
PostPosted: Mon Nov 06, 2006 9:19 am    Post subject: Reply with quote

Centurion

Joined: 07 Jul 2005
Posts: 138
Location: Ireland

Right. I finally got to the bottom of this. It turns out that it was more of a Domain issue than an MQ issue, but here goes...

The DNS records needed to be refreshed. the system that I had installed MQ onto was pointing at an old and inaccessible DNS server. So when I ran through the "Preparing MQ" configuration, it kept coming back saying "check the network configuration and ensure that the domain controller can be contacted" (or simular). Once I got the Windows guys to check the DNS config and refresh the DNS information, everything was cool and the gang.
Back to top
View user's profile Send private message MSN Messenger
jefflowrey
PostPosted: Mon Nov 06, 2006 9:23 am    Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981

So it was an error connecting to the Domain Controller, then.
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
jhues789
PostPosted: Wed Nov 08, 2006 9:46 am    Post subject: Reply with quote

Apprentice

Joined: 20 Jan 2004
Posts: 37
Location: Madison WI

jefflowrey wrote:
Are you trying to authorize embedded groups in the mqm group?



Is it a problem using embedded groups in the MQM group? I have a situitation where if I dont add a user to the mqm group M071 will not connect to the server. Using a group would be so much easier than individual entries.
_________________
Any opinion expressed is mine, no matter where I got it from, and I retain
all rights to it, should it actually prove to be of any value.
-- DISCLAIMER
Back to top
View user's profile Send private message Visit poster's website
jefflowrey
PostPosted: Wed Nov 08, 2006 10:16 am    Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981

It simply doesn't work.
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
jhues789
PostPosted: Wed Nov 08, 2006 10:20 am    Post subject: Reply with quote

Apprentice

Joined: 20 Jan 2004
Posts: 37
Location: Madison WI

I was afraid of that!


Thanks so much for the quick reply.

Joan
_________________
Any opinion expressed is mine, no matter where I got it from, and I retain
all rights to it, should it actually prove to be of any value.
-- DISCLAIMER
Back to top
View user's profile Send private message Visit poster's website
jefflowrey
PostPosted: Wed Nov 08, 2006 10:30 am    Post subject: Reply with quote

Grand Poobah

Joined: 16 Oct 2002
Posts: 19981

But you should be able to create another group, and use setmqaut to give that group all the necessary permissions (possibly just +allmqi +alladm), instead of adding the users to MQM.
_________________
I am *not* the model of the modern major general.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » RESOLVED: Access Not Authorized. You are Not Authorized.
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.