| Author |
Message
|
| andrewdev |
 Posted: Fri Dec 16, 2011 3:04 am Post subject: MQRC_NOT_AUTHORIZED - Advice please |
 |
|
Newbie
Joined: 16 Dec 2011
Posts: 3
|
We have an IBM MQ Series version 5 Server running on Windows 2000 in a Windows NT domain.
Channels are used to access the server from multiple platforms Microsoft Windows, DEC Alpha VMS, DEC VAX VMS, IBM Mainframe.
We have not configured any channels to require authorization. The MCAUSER is blank in all cases. The MQM group exists in the domain but has no memebers.
This has been working well for more than 10 years.
We have recently had cause to create a new channel which is used by a version 6 client. When running on a Windows XP PC in the same NT domain or a trusted domain the client connects and works as usual.
When trying to connect to the same channel from a client running on a Windows 2008 server that is not in a trusted Windows NT domain we get the error MQRC_NOT_AUTHORIZED
This is the case both when the Server is a memeber of an Active Directory Domain and standalone.
Some advice on rectifying this problem would be greatly valued. |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Fri Dec 16, 2011 3:10 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You could always open a PMR.
Except you're running completely unsupported versions of the software.
That is both a procedural issue and a significant business risk. The business requirements this system was built and configured to support have almost certainly changed in the ten years since you have set it up, and you have not maintained it to stay current with those business requirements.
Just now adding a v6 client to the mix doesn't make things any better. You should really be adding a v7 client.
I'm sure you know all of the above, but I am at least putting it here so that other people who are likely to respond will have something *else* to say.
Presumably the application in question is actually a C language client application, or otherwise something that is properly using the OS level user id that the process is running under. If it was a java application, it would connect to the system you described as the MUSR_MQADMIN, whether you wanted it to or not.
The only really safe way that you can solve this problem is to institute an MCAUSER, and then add in SSL to ensure that only the correct client applications can connect to the channel in question.
Your system is dangerously out of date and dangerously insecure. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Dec 16, 2011 3:15 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Also, let's be clear. The issue you are experiencing is Windows and MQ acting correctly, from a Windows security point of view. The client application is presenting a userid that is not known to be trusted by the relevant NT domain being used - regardless of whether that domain is hosted in AD or not.
You've configured things to ensure that MQ will use the Windows domain to identify and secure users. You are now running into issues with user that are not trusted by the windows domain you have named as the point of trust.
Again, the only way to resolve this is to replace user identify by OS level ID with user identification by SSL certificate, and then use MCAUSER to map users into trusted ids in known roles. |
|
| Back to top |
|
|
| andrewdev |
| Posted: Fri Dec 16, 2011 3:29 am Post subject: |
|
|
Newbie
Joined: 16 Dec 2011
Posts: 3
|
Thanks for your comments. We are aware of the age of the system and that in time that is something that will hopefully be addressed.
We chose to use a version 6 client as we were under the impression that there were problems using a version 7 client to connect to a version 5 server, A version 5 client with .NET interfaces was not available.
However the version 6 client does connect successfully when from a trusted NT domain.
I have tried adding an MCAUSER to the channel but both the format "Domain\User" and "User@Domain" returned a string length error from RUNMQRC. Putting just the username in resulted in the same MQRC_NOT_AUTHORIZED error when attempting to connect. |
|
| Back to top |
|
|
| andrewdev |
| Posted: Fri Dec 16, 2011 3:33 am Post subject: |
|
|
Newbie
Joined: 16 Dec 2011
Posts: 3
|
What puzzles me is that clients from different operating systems which do not use Windows Authentication connect and work without problem.
I would like this client to connect in the same way |
|
| Back to top |
|
|
| JasonE |
| Posted: Fri Dec 16, 2011 3:57 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
So what errors are logged in the system and qmgr error logs when this occurs?
Non-windows o/s's flow userids - these are looked up locally and converted to SID's
Windows o/s's flow SIDs and userids. The sid is converted to a userid. This will fail for a non-trusted domain account as you cant resolve it. |
|
| Back to top |
|
|
|
|
