| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ Explorer Cross-Forest Authentication with MQ 8.0.0.3 |
« View previous topic :: View next topic » |
| Author |
Message
|
| Zodiac42 |
 Posted: Wed Aug 31, 2016 6:36 am Post subject: MQ Explorer Cross-Forest Authentication with MQ 8.0.0.3 |
 |
|
Newbie
Joined: 31 Aug 2016
Posts: 6
Location: Linz, AT
|
Hi all,
has any one ever tried accessing a Windows Queue Manager via MQ Explorer in another subdomain of your organization?
Here's my situation:
We have a rather complex Windows domain forest with two adjacent root domains and several subdomains each. Admin Accounts are always located in one of the root domains, whereas the users workstations are in one subdomain and the resources (a.k.a the servers) are located in another subdomain of the same forest.
According to our security staff I have to allow access to resources only to administrators. Which puts me in the following dilemma
AdminUser A in domain z.local has to start MQ Explorer on his workstation in subdomain a.z.local and access the queue manager in subdomain b.z.local.
(does this even make sense the way I am describing it??)
So, to accomplish this I've set up an IDPWLDAP AuthInfo object on one of my Test QMGRs. First things first: It doesn't work.
After lots of tracing and analyzing log files it seems, that whatever I configure on the AuthInfo object the answer from LDAP is always either user not found (ldap_search_failed), no SID returned, or ldap_get_values_failed. I've tried querying LDAP with the UPN (which is to long for the "equivalent short user" field (limited to 12 chars). I've also tried the query with the sAMAccountName, which is less than 12 characters, but has no domain information, so... guess what... MQ doesn't use the provided domain info on the IDPWLDAP AuthInfo object, but instead uses the servers own domain, in which there is no such user...
I'm quite annoyed by this, as you can probably guess, by the way I'm writing this, but not even IBM support can provide me with a reasonable solution. So my basic question is: Has anyone ever tried to configure this, and if yes, HOW????
Hope this all makes sense.
Thank you all for reading this far.
Thanks a lot in advance for any suggestions.
cheers, Pat |
|
| Back to top |
|
 |
| Vitor |
| Posted: Wed Aug 31, 2016 7:00 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Are your Windows admins worried about downsizing or redundancy? Receiving treatment for paranoia?
You get points for:
| Zodiac42 wrote: |
| We have a rather complex Windows domain forest |
You're a lock for the shortlist in "Understatement of the Year" and you can count on my vote.
What do your Windows admins suggest? What does MSoft support suggest (apart from upgrading everything and rebooting until the magic comes back)?
You might want to consider an alternative management tool; one that handles the kind of cross-domain authentication you need internally and shields MQ from it.
But it sounds like your Windows people have tied you in knots.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Aug 31, 2016 7:12 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
it sounds like you're much better off using some kind of channel authentication rules, to map users in one subdomain to users in the other, or at least to map users that are allowed to connect to users on the local machine.
Then you don't (really) have to worry about dealing with cross forest authentication. The MQ server knows about users in it's forest, and the admin user running MQExplorer knows about the other.
You should be (?) able to use chlauth rules to disallow non-admin users (based on ldap dn) from connecting to any channels, and then map users that are allowed to connect to local users on the mq server, or users in the other forest (if there are any) or to users in the root.
Also, ask the windows admins how they are handling this with other systems...
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| Zodiac42 |
| Posted: Thu Sep 01, 2016 4:51 am Post subject: |
|
|
Newbie
Joined: 31 Aug 2016
Posts: 6
Location: Linz, AT
|
Thanks mqjeff,
I had never thought of using channel authentication for this.
I'll try that next.
Other systems can obviously cope with that, because I had to explain "what the problem was with my MQ setup". The answer was - simply put - that they had never got such a request, because it just simply works with other applications - why wouldn't it?? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Sep 01, 2016 9:47 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Does the MQ Service id have cross domain trust?
Can it query domain group membership in all domains? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Zodiac42 |
| Posted: Thu Sep 01, 2016 11:56 pm Post subject: |
|
|
Newbie
Joined: 31 Aug 2016
Posts: 6
Location: Linz, AT
|
| fjb_saper wrote: |
| Does the MQ Service id have cross domain trust? |
No, MQ runs with "Local System" privileges
| fjb_saper wrote: |
| Can it query domain group membership in all domains? |
LDAP queries are authenticated with a admin level service user, which has all the necessary rights and privileges.
I forgot to mention, that an appropriate LDAP-object is returned from AD, but MQ doesn't recognize it as my MQ admin account (even though it is member of the local mqm group) |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Sep 02, 2016 3:58 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Zodiac42 wrote: |
| fjb_saper wrote: |
| Does the MQ Service id have cross domain trust? |
No, MQ runs with "Local System" privileges |
You can, unless I'm remembering wrong, change which user the MQ Service runs under.
This could then be a user that does have cross domain trust. And is in the local mqm group.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| Zodiac42 |
| Posted: Fri Oct 21, 2016 6:34 am Post subject: |
|
|
Newbie
Joined: 31 Aug 2016
Posts: 6
Location: Linz, AT
|
Hooray, we solved it!
So long story short: It works with MQ 9.0 and up.
Also you have to use server local groups in which the users have to be direct members (no group nesting).
With this in mind I was able to authenticate a user over LDAP across our whole forest.
Not the most elegant way, but there is still room for improvement.  |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
