| Author |
Message
|
| cpeele |
 Posted: Fri Apr 20, 2007 10:28 am Post subject: A principal or group name was invalid? |
 |
|
Acolyte
Joined: 04 Apr 2007
Posts: 53
|
Hey guys. I am trying to get my client app I wrote on my local machine to connect to the MQ server on our dev server. Its got a default configuration from the default configuration wizard.
I know I need to give my userID access to that QM but it is not working.
Here's what I have:
setmqaut -m QM_example -t qmgr -p Billy.BoB@domain.com +connect
billy.bob@domain.com being the user ID that I logged on to the client computer running my XMS.NET application. This command was entered on the MQ server.
I receive the following: AMQ7026: A principal or group name was invalid
Do I need to add my username to a group first?
Thanks! |
|
| Back to top |
|
 |
| Michael Dag |
| Posted: Fri Apr 20, 2007 1:14 pm Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
you are running setmqaut on the server I hope...
does the server know the id Billy.Bob or billy.bob i.e. is it in a domain?
is mq installed domain aware?
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| cpeele |
| Posted: Mon Apr 23, 2007 5:37 am Post subject: |
|
|
Acolyte
Joined: 04 Apr 2007
Posts: 53
|
Yes, I am running it from the server.
Here's the thing. It is a domain account, however our network guys do not want MQ domain aware so it is not configured to authenticate via domain accounts.
Do I create a local account on the server with my domain username? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Mon Apr 23, 2007 5:40 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Are your network guys in a position to decide if the business requirements for using MQ allow for it to be run without using domain accounts?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Apr 23, 2007 5:41 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| cpeele wrote: |
Here's the thing. It is a domain account, however our network guys do not want MQ domain aware so it is not configured to authenticate via domain accounts.
|
I think your next step should be to ask the network people what their justification is for not making MQ domian aware, and how they see MQ user authentication being done in the security model they're enforcing.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| cpeele |
| Posted: Mon Apr 23, 2007 7:14 am Post subject: |
|
|
Acolyte
Joined: 04 Apr 2007
Posts: 53
|
| Thanks but they are not budging. How else can I accomplish this? |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Apr 23, 2007 7:23 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| cpeele wrote: |
| Thanks but they are not budging. How else can I accomplish this? |
No one said they had to budge. What they do need to do is explain, in the absence of domain awareness, how they expect user security to work. It's their security model, they need to apply it to your situation. There are a number of things they can do, far fewer that you can do and all must conform to your site's audit & security standards. These must also tie up with your business's operational needs. They can't just sit there and say "you can't do that" without providing an alternative.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| cpeele |
| Posted: Mon Apr 23, 2007 7:40 am Post subject: |
|
|
Acolyte
Joined: 04 Apr 2007
Posts: 53
|
Thanks again for responding. Here's the thing though. We have two dev MQ servers setup. I was able to get both of them to send messages to one another using the default installation wizard and the MQI postcard sample. Why do I have to do something different (domain access wise) for my client application to connect?
Thanks! |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Apr 23, 2007 7:55 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Because there are a number of different configuration options that can be used on the server/network side. The postcard sample employs one of a number of connection strategies.
This piece of string can be cut to any length you see fit.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| cpeele |
| Posted: Mon Apr 23, 2007 8:03 am Post subject: |
|
|
Acolyte
Joined: 04 Apr 2007
Posts: 53
|
Ok, based on the above information I provided you. Other than providing some sort of domain access, how would you cut the string? (i.e. example commands or configuration)
Thanks,
Chris |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Apr 23, 2007 8:08 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
If it was me, I'd create a local user id ("appuser"), authorise that user id +allapi and put that user id in the MCAUser field.
But that's just me. A lot of places don't like that because it opens the queue manager to any application linked to a client library.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| cpeele |
| Posted: Mon Apr 23, 2007 8:11 am Post subject: |
|
|
Acolyte
Joined: 04 Apr 2007
Posts: 53
|
ok, when my client app connects from my local pc logged in as billy.bob@domain.com how is the the local user account "appuser" on the server going to know to grant billy.bob@domain.com access via this local account?
Hope that made sense.
Thanks! |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Apr 23, 2007 8:16 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
It won't - it'll use appuser to check authorisation. My comment "opens the queue manager to anything linked with a client library" refers.
This is another reason a lot of sites don't like doing this.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Apr 23, 2007 8:18 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| cpeele wrote: |
ok, when my client app connects from my local pc logged in as billy.bob@domain.com how is the the local user account "appuser" on the server going to know to grant billy.bob@domain.com access via this local account?
|
If you want to achieve somethins like this, you'll need a security exit or similar. This is not a straightforward task.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| tleichen |
| Posted: Mon Apr 23, 2007 11:30 am Post subject: |
|
|
Yatiri
Joined: 11 Apr 2005
Posts: 663
Location: Center of the USA
|
I've seen this type of thing several times. If your network people are fighting you every inch of the way, then this needs to be brought up to your management. Vitor is right when he said that what they do need to do is explain, in the absence of domain awareness, how they expect user security to work. Not only to you, but to your (and supposedly their) management. If the two are not the same, then you're not talking to high enough level management. Trust me. You can waste an awful lot of time until you get this issue resolved. 
_________________
IBM Certified MQSeries Specialist
IBM Certified MQSeries Developer |
|
| Back to top |
|
|
|
|
