| Author |
Message
|
| paulgroo |
 Posted: Wed Nov 01, 2006 4:04 am Post subject: RESOLVED: Access Not Authorized. You are Not Authorized. |
 |
|
Centurion
Joined: 07 Jul 2005
Posts: 138
Location: Ireland
|
Hi everyone. I've found a few other posts that have a similar problem to the one having, but don't quite hit the nail on the head. So here goes...
I've installed MQ 5.3 onto a Windows 2003 server. When I log in locally with an account with admin privileges everything is fine. I can see the queue manager, stop and start it, see all the queues/channels, etc.
However, when I log in with a domain account (which has been added to the local administrators and mqm groups) I can see the queue manager but it won't allow me to see the queues and channels. When I choose 'connect' in the MQ Explorer window I get a "Access Not Authorized. You are Not Authorized to perform this operation. (AMQ4036)"
When I check in the AMQERR logs I can see a number errors:
AMQ7227: WebSphere MQ encountered the following network error: The RPC server is unavailable.
I've tried a number of things like adding the groups explicitly in the Dcomcnfg but still the same problem.
Please help, this is beginning to effect my mojo in a bad way.
Last edited by paulgroo on Mon Nov 06, 2006 9:16 am; edited 1 time in total |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Wed Nov 01, 2006 4:15 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Did you run refresh security after changing the memberhship of mqm?
Did you configure dcomcfg (or run the prepare mq wizard) to use a domain account that has proper priviledges to query group membership on the domain?
Are you trying to authorize embedded groups in the mqm group?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| paulgroo |
| Posted: Wed Nov 01, 2006 4:22 am Post subject: |
|
|
Centurion
Joined: 07 Jul 2005
Posts: 138
Location: Ireland
|
Hi Jeff,
Thanks for your reply! I've put my answers to your questions below:
Did you run refresh security after changing the memberhship of mqm?
Yes, I've run the refresh command after each change to the mqm group.
Did you configure dcomcfg (or run the prepare mq wizard) to use a domain account that has proper priviledges to query group membership on the domain?
Yes, the users that have been added into dcomcnfg are domain admin users.
Should I use the MQ wizard instead?
Are you trying to authorize embedded groups in the mqm group?
No, there are no groups within the mqm group, only users (local and domain) are listed. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Nov 01, 2006 4:40 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
I guess I'm confused when you say "users were added to dcomcfg".
The only purpose I'm aware of for using dcomcfg with MQ is to set what user the actual MQ services (like the OAM) run as, as opposed to whatever service the MQ Windows Service starts as (which is set in the Services control panel and is usually "Local system"). This is only a single user, and is the user that will be presented to the domain when MQ tries to find out if a domain user is valid.
I'm sure you've reviewed http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=/com.ibm.mq.amqtac.doc/cmqsa9.htm
but I'm posting it for completeness and "posterity".
Also, are you trying to authorize against the local mqm group or the domain mqm group?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| paulgroo |
| Posted: Wed Nov 01, 2006 4:55 am Post subject: |
|
|
Centurion
Joined: 07 Jul 2005
Posts: 138
Location: Ireland
|
Sorry, I should have been clearer about the dcomcnfg stuff. Currently the "user account you want to run this application" is MUSR_MQADMIN, but under the Security tab there are three options for allow users to Launch and activate permission, Access Permissions and Configuration Permissions. I've added two domain accounts into this three areas, although it doesnt seem to make much of a difference.
When you said "This is only a single user, and is the user that will be presented to the domain when MQ tries to find out if a domain user is valid",
do you mean, the MUSR_MQADMIN user should be defined as a domain user also? (I'm sorry, I think I'm getting a little confused about that).
I'm going to check with one of the Sys Admins to make sure they've enabled the Allow: read Group Membership, for any of domain users that are trying to use the system. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Nov 01, 2006 5:10 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Okay. I see what you mean about other users in dcomcfg.
That won't apply, I think. When a user tries to connect to MQ, using whatever mechanism, that user is validated by the OAM (running as the MQ service user) and not through dcomcfg.
MUSR_MQADMIN is the service id, all of the MQ services are going to run under that user.
Given everything else you've said, it looks like it's either an error connecting to the domain controller or a permissions error for MUSR_MQADMIN on the domain. Make sure both Read Group Membership and Read Group MembershipSAM are granted.
The "RPC Server" that the error message is complaining about is the domain controller, basically.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| paulgroo |
| Posted: Wed Nov 01, 2006 5:13 am Post subject: |
|
|
Centurion
Joined: 07 Jul 2005
Posts: 138
Location: Ireland
|
I'll have a look around at a few of the permissions on groups/accounts on the domain.
thanks Jeff! |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Nov 02, 2006 5:59 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Forgive me for asking, but was WMQ installed in Active Directory or local 'mode'?
The reason I'm asking is I was involved in testing AD/non-AD installation of WMQ at the installation where I work, and found that:
1. If installed in AD mode, local accounts cannot authenticate via the Domain Controller and therefore receive 'Not Authorised' errors.
2. If installed in local mode, AD accounts cannot authenticate with the local OAM and therefore receive 'Not Authorised' errors.
We've frequently found that the problems we have is that WMQ is installed in 'local' mode and operators log on using their domain accounts.
Or am I barking up the wrong tree?[/list]
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| paulgroo |
| Posted: Thu Nov 02, 2006 6:22 am Post subject: |
|
|
Centurion
Joined: 07 Jul 2005
Posts: 138
Location: Ireland
|
Hi there!
Yeah, that seems to be what's happening alright. I tried installing the software under my domain account to see if it would make a difference but we're just coming up against the same problems you've mentioned.
I think I may have gotten around it though, by explicitly adding the users domain account into the local administrators group (and local mqm group) |
|
| Back to top |
|
|
| paulgroo |
| Posted: Mon Nov 06, 2006 9:19 am Post subject: |
|
|
Centurion
Joined: 07 Jul 2005
Posts: 138
Location: Ireland
|
Right. I finally got to the bottom of this. It turns out that it was more of a Domain issue than an MQ issue, but here goes...
The DNS records needed to be refreshed. the system that I had installed MQ onto was pointing at an old and inaccessible DNS server. So when I ran through the "Preparing MQ" configuration, it kept coming back saying "check the network configuration and ensure that the domain controller can be contacted" (or simular). Once I got the Windows guys to check the DNS config and refresh the DNS information, everything was cool and the gang. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Mon Nov 06, 2006 9:23 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
So it was an error connecting to the Domain Controller, then.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| jhues789 |
| Posted: Wed Nov 08, 2006 9:46 am Post subject: |
|
|
Apprentice
Joined: 20 Jan 2004
Posts: 37
Location: Madison WI
|
| jefflowrey wrote: |
| Are you trying to authorize embedded groups in the mqm group? |
Is it a problem using embedded groups in the MQM group? I have a situitation where if I dont add a user to the mqm group M071 will not connect to the server. Using a group would be so much easier than individual entries.
_________________
Any opinion expressed is mine, no matter where I got it from, and I retain
all rights to it, should it actually prove to be of any value.
-- DISCLAIMER |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Nov 08, 2006 10:16 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
It simply doesn't work.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| jhues789 |
| Posted: Wed Nov 08, 2006 10:20 am Post subject: |
|
|
Apprentice
Joined: 20 Jan 2004
Posts: 37
Location: Madison WI
|
I was afraid of that!
Thanks so much for the quick reply.
Joan
_________________
Any opinion expressed is mine, no matter where I got it from, and I retain
all rights to it, should it actually prove to be of any value.
-- DISCLAIMER |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Nov 08, 2006 10:30 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
But you should be able to create another group, and use setmqaut to give that group all the necessary permissions (possibly just +allmqi +alladm), instead of adding the users to MQM.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
|
|
