ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » Error moving to AD domain

Post new topic  Reply to topic
 Error moving to AD domain « View previous topic :: View next topic » 
Author Message
sarabennet
PostPosted: Tue Jul 16, 2019 5:40 am    Post subject: Error moving to AD domain Reply with quote

Novice

Joined: 23 Jun 2019
Posts: 12

Hi experts,

We are facing an issue when migrating from local id Windows AD domain for MQ7.5. We are getting the below error on MQ error logs. There was no change done to queue manger permissions other than starting MQ with AD domain id instead of local id. Could you please guide me on this as I am bit new to MQ

CHLAUTH was disabled at the time

AMQ9557: Queue Manager User ID initialization failed.

Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Jul 16, 2019 5:54 am    Post subject: Re: Error moving to AD domain Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

sarabennet wrote:
There was no change done to queue manger permissions other than starting MQ with AD domain id instead of local id.


Why are you trying to migrate from a local id to a domain id, rather that adding the domain id to the local group?

What component is issuing this error? The most common reason for this is that the MQ service is trying to start before the AD service is available, hence the domain id doesn't work.

This is why I always use a local id for services
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Jul 16, 2019 8:17 pm    Post subject: Re: Error moving to AD domain Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

Vitor wrote:
sarabennet wrote:
There was no change done to queue manger permissions other than starting MQ with AD domain id instead of local id.


Why are you trying to migrate from a local id to a domain id, rather that adding the domain id to the local group?

What component is issuing this error? The most common reason for this is that the MQ service is trying to start before the AD service is available, hence the domain id doesn't work.

This is why I always use a local id for services

Don't do that. Use the deferred start option for the services if you must...
And please remember when you change id or password to run it through the prepare MQ Wizard. Also look in the documentation there are specific permissions the AD ID needs to have at the local and domain level.

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Vitor
PostPosted: Wed Jul 17, 2019 5:25 am    Post subject: Re: Error moving to AD domain Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

fjb_saper wrote:
Vitor wrote:
This is why I always use a local id for services

Don't do that. Use the deferred start option for the services if you must...


Oh, and that works so reliably. I've done that and made the AD service a pre-requisite for the MQ service and Windoze still tries to start MQ too soon because the AD service signals "I'm up" when it's finished starting, not when it's available for use. So MQ (and SQL Server, and DB2, and WAS, and <insert software name>) all try and validate the domain user while AD is synchronizing with the directory / staring into it's navel / drinking coffee / working out the square root of -1 to 5 decimal places / waiting for my blood pressure to reach critical mass.

fjb_saper wrote:
Also look in the documentation there are specific permissions the AD ID needs to have at the local and domain level.


This is a good catch.

I had forgotten (but agree completely) that such a domain user is not a "normal" user but requires a particular set up as my worthy associate points out.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
sarabennet
PostPosted: Wed Jul 17, 2019 10:35 pm    Post subject: Reply with quote

Novice

Joined: 23 Jun 2019
Posts: 12

Thank you all for the inputs.

Quote:
And please remember when you change id or password to run it through the prepare MQ Wizard. Also look in the documentation there are specific permissions the AD ID needs to have at the local and domain level.


I have gone through the documentation. Will try on this and get back
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Jul 18, 2019 8:33 pm    Post subject: Re: Error moving to AD domain Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

Vitor wrote:
fjb_saper wrote:
Vitor wrote:
This is why I always use a local id for services

Don't do that. Use the deferred start option for the services if you must...


Oh, and that works so reliably. I've done that and made the AD service a pre-requisite for the MQ service and Windoze still tries to start MQ too soon because the AD service signals "I'm up" when it's finished starting, not when it's available for use. So MQ (and SQL Server, and DB2, and WAS, and <insert software name>) all try and validate the domain user while AD is synchronizing with the directory / staring into it's navel / drinking coffee / working out the square root of -1 to 5 decimal places / waiting for my blood pressure to reach critical mass.

fjb_saper wrote:
Also look in the documentation there are specific permissions the AD ID needs to have at the local and domain level.


This is a good catch.

I had forgotten (but agree completely) that such a domain user is not a "normal" user but requires a particular set up as my worthy associate points out.

Well there is the standard start up of the service with dependencies, and then you can setup the service for deferred startup (with or without dependencies). It will wait a little bit longer before trying to start up. A windows guru can tell what it is waiting on in this case...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Vitor
PostPosted: Fri Jul 19, 2019 3:45 am    Post subject: Re: Error moving to AD domain Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

fjb_saper wrote:
Vitor wrote:
fjb_saper wrote:
Vitor wrote:
This is why I always use a local id for services

Don't do that. Use the deferred start option for the services if you must...


Oh, and that works so reliably. I've done that and made the AD service a pre-requisite for the MQ service and Windoze still tries to start MQ too soon because the AD service signals "I'm up" when it's finished starting, not when it's available for use. So MQ (and SQL Server, and DB2, and WAS, and <insert software name>) all try and validate the domain user while AD is synchronizing with the directory / staring into it's navel / drinking coffee / working out the square root of -1 to 5 decimal places / waiting for my blood pressure to reach critical mass.

fjb_saper wrote:
Also look in the documentation there are specific permissions the AD ID needs to have at the local and domain level.


This is a good catch.

I had forgotten (but agree completely) that such a domain user is not a "normal" user but requires a particular set up as my worthy associate points out.

Well there is the standard start up of the service with dependencies, and then you can setup the service for deferred startup (with or without dependencies). It will wait a little bit longer before trying to start up. A windows guru can tell what it is waiting on in this case...


I'll stick with Plan A - avoid putting queue managers on Windoze.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
sarabennet
PostPosted: Thu Jul 25, 2019 9:33 pm    Post subject: Reply with quote

Novice

Joined: 23 Jun 2019
Posts: 12

7/26/2019 1:47:44 - Process(2222.44) User(MQ_ADM) Program(amqzlaa0.exe)
Host(ABCDEF) Installation(Installation1)
VRMF(7.5.0.5) QMgr(QMADM)

AMQ8079: Access was denied when attempting to retrieve group membership
information for user 'appuser@AD1'.

EXPLANATION:
WebSphere MQ, running with the authority of user 'MQ_ADM@AD2', was
unable to retrieve group membership information for the specified user.
ACTION:
Ensure Active Directory access permissions allow user 'MQ_ADM@AD2' to
read group memberships for user 'appuser@AD1'. To retrieve group
membership information for a domain user, MQ must run with the authority of a
domain user and a domain controller must be available.


AMQ9557: Queue Manager User ID initialization failed.

EXPLANATION:
The call to initialize the User ID failed with CompCode 2 and Reason 2063.
ACTION:
Correct the error and try again.
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Jul 25, 2019 10:58 pm    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

sarabennet wrote:
...WebSphere MQ, running with the authority of user 'MQ_ADM@AD2', was unable to retrieve group membership information for the specified user.
ACTION:
Ensure Active Directory access permissions allow user 'MQ_ADM@AD2' to
read group memberships for user 'appuser@AD1'...

This suggests that the IDs are in different domains, and if so...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Jul 26, 2019 4:53 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

The MQ Service ID must have permission to read the group membership on both domains!
And then you may need to configure access permissions for both domains...
Do you cross polinate your domains?

I.e. Group mqusers in domain A has users from both domain A and B?


_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
sarabennet
PostPosted: Sat Jul 27, 2019 9:25 am    Post subject: Reply with quote

Novice

Joined: 23 Jun 2019
Posts: 12

Quote:
The MQ Service ID must have permission to read the group membership on both domains!
Yes we have given ReadGroupMembership permissions for the MQ_ADM@AD1 id with which we have started MQ.

Quote:
And then you may need to configure access permissions for both domains...

How do we do that ?

Quote:
Do you cross polinate your domains?
not sure what that means

Quote:
I.e. Group mqusers in domain A has users from both domain A and B?
Yes.
Back to top
View user's profile Send private message
exerk
PostPosted: Sun Jul 28, 2019 10:24 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

sarabennet wrote:
Quote:
And then you may need to configure access permissions for both domains...

How do we do that ?

Talk to your domain admins, it's their job to set up cross-domain trusts - assuming your site allows it.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Sun Jul 28, 2019 12:43 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

sarabennet wrote:
Quote:
The MQ Service ID must have permission to read the group membership on both domains!
Yes we have given ReadGroupMembership permissions for the MQ_ADM@AD1 id with which we have started MQ.

So did you grant that permission to MQ_ADM@AD1 only in AD1 or also in AD2?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » Error moving to AD domain
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.