ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ Installation/Configuration Supportcrtmqm via PowerShell

Post new topicReply to topic
crtmqm via PowerShell View previous topic :: View next topic
Author Message
Snw
PostPosted: Wed Feb 22, 2017 12:22 am Post subject: crtmqm via PowerShell Reply with quote

Newbie

Joined: 21 Feb 2017
Posts: 3

Hi.
MQ 8.0.0.5
Windows Server 2012 R2

I installed the MQ server and configured according to the instruction: "Creating and setting up domain accounts for IBM MQ" - https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.ins.doc/q008840_.htm

Created group, created users, added users to groups, added the right for reading membership in group.
DC:





MQ Server:




At connection through RDP everything works as it is required, but at connection through PowerShell:

PS C:\Users\Build-agt>
[***]: PS C:\Users\build-agt\Documents> crtmqm TEST
crtmqm : AMQ8101: WebSphere MQ error (80F) has occurred.
+ CategoryInfo : NotSpecified: (AMQ8101: WebSph...) has occurred.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError

2/22/2017 11:10:21 - Process(3556.1) User(build-agt) Program(crtmqm.exe) Host(***) Installation(Installation1) VRMF(8.0.0.5)

An internal WebSphere MQ error has occurred on queue manager TEST.

An error has been detected, and the WebSphere MQ error recording routine has been called. The failing process is process 3556.

Use the standard facilities supplied with your system to record the problem identifier and to save any generated output files. Use either the MQ Support site: ***, or IBM Support Assistant (ISA): ***, to see whether a solution is already available. If you are unable to find a match, contact your IBM support center. Do not discard these files until the problem has been resolved.


Event log:
2/22/2017 11:10:21 - Process(3556.1) User(build-agt) Program(crtmqm.exe) Host(***) Installation(Installation1) VRMF(8.0.0.5)

An internal WebSphere MQ error has occurred.

An internal error has occurred with identifier 2080080F. This message is issued in association with other messages.

Use the standard facilities supplied with your system to record the problem identifier and to save any generated output files. Use either the MQ Support site: ***, or IBM Support Assistant (ISA): ***, to see whether a solution is already available. If you are unable to find a match, contact your IBM support center. Do not discard these files until the problem has been resolved.



2/22/2017 11:10:21 - Process(3556.1) User(build-agt) Program(crtmqm.exe) Host(***) Installation(Installation1) VRMF(8.0.0.5) QMgr(TEST)

Access was denied when attempting to retrieve group membership information for user 'build-agt@***'.

WebSphere MQ, running with the authority of user 'build-agt@***', was unable to retrieve group membership information for the specified user.

Ensure Active Directory access permissions allow user 'build-agt@***' to read group memberships for user 'build-agt@***'. To retrieve group membership information for a domain user, MQ must run with the authority of a domain user and a domain controller must be available.

FDC:

Major Errorcode :- lrcE_SECURITY_ERROR |
| Minor Errorcode :- OK |
| Probe Type :- INCORROUT |
| Probe Severity :- 2 |
| Probe Description :- AMQ6125: An internal WebSphere MQ error has occurred. |
| FDCSequenceNumber :- 0 |
| Comment1 :- The local or domain user this WebSphere MQ command is |
| running under is not authorized, if running as domain user then please |
| ensure this user has all appropriate privileges on domain controller such |
| as query group membership


In what there can be a problem? What additional actions can help to reveal a problem on AD/MQ?


Last edited by Snw on Wed Feb 22, 2017 4:07 am; edited 3 times in total
Back to top
View user's profile Send private message
Snw
PostPosted: Wed Feb 22, 2017 12:40 am Post subject: Reply with quote

Newbie

Joined: 21 Feb 2017
Posts: 3

Used for service control Prepare IBM MQ wizard
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Feb 22, 2017 6:06 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19433
Location: LI,NY

I have seen the 80F error before.
Usually when the user executing the command is not in the domain the MQ Server is a member of....
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Snw
PostPosted: Wed Feb 22, 2017 8:39 am Post subject: Reply with quote

Newbie

Joined: 21 Feb 2017
Posts: 3

fjb_saper wrote:
I have seen the 80F error before.
Usually when the user executing the command is not in the domain the MQ Server is a member of....


Really...
I hate Windows...
I work as the domain user, at connection via PowerShell enter specify domain credentials again, but nothing means to Windows! On the remote server I not in the domain!

For reading:

https://msdn.microsoft.com/ru-ru/library/ee309365(v=vs.85).aspx

http://serverfault.com/questions/203123/unable-able-to-run-remote-powershell-using-active-directory

Using CredSSP to execute the remote command it turned out, but it would be desirable after all the decision without credentials input, using the credentials current user.

If someone knows how to use credentials the current user, then I will be grateful to the hint...
Back to top
View user's profile Send private message
mqjeff
PostPosted: Wed Feb 22, 2017 8:54 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17448

I think crtmqm requires membership in mqm or DOMAIN/mqm...

So you would need to do something to run your powershell - or the connection to the remote box - as a user in one of those groups.

You might be able to use the windows 'contact admin' - it's essentially like a sudo.
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Feb 22, 2017 2:09 pm Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19433
Location: LI,NY

mqjeff wrote:
I think crtmqm requires membership in mqm or DOMAIN/mqm...

So you would need to do something to run your powershell - or the connection to the remote box - as a user in one of those groups.

You might be able to use the windows 'contact admin' - it's essentially like a sudo.


You also have to be aware of cross-domain trust. Whereas windows uses this lightly, mq is not so much ok with it. That is you'd have to allow the service user to query the domain group membership in the cross domain as well as in the domain the MQ server is registered in.... Oh the pain of AD !!
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ Installation/Configuration Supportcrtmqm via PowerShell
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.