| Author |
Message
|
| Heba_MQ |
 Posted: Tue Jun 23, 2020 3:38 am Post subject: IBM Prepare Wizard - Help Please |
 |
|
Apprentice
Joined: 19 Apr 2020
Posts: 39
|
Dears,
We are trying to rum mq prepare wizard and use an active directory service account to start up mq (we are in windows 2019) (MQ 9.1.5)
We always get this error :
"The user name specified does not have the authority that IBM Require"
"it must be configured with domain user that has the authority to query the group membership of other users"
We have created the AD user and group as per IBM Recommendations
- We create a Domain mqm group
- We give it read group membership and read group membershipSAM permissions
- We created user svc_MQM in this group
- When MQ is installed both the AD user svc_MQM and AD group Domain MQM got added automatically to local mqm group
What else should I check
Thanks
Heba |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Jun 23, 2020 5:30 am Post subject: Re: IBM Prepare Wizard - Help Please |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Heba_MQ wrote: |
Dears,
We are trying to rum mq prepare wizard and use an active directory service account to start up mq (we are in windows 2019) (MQ 9.1.5)
We always get this error :
"The user name specified does not have the authority that IBM Require"
"it must be configured with domain user that has the authority to query the group membership of other users"
We have created the AD user and group as per IBM Recommendations
- We create a Domain mqm group
- We give it read group membership and read group membershipSAM permissions
- We created user svc_MQM in this group
- When MQ is installed both the AD user svc_MQM and AD group Domain MQM got added automatically to local mqm group
What else should I check
Thanks
Heba |
So the MQ Service user, (the one running the MQ service in the services.msc) is the one needing all those permissions plus a slew of permissions on the local server (about 7 different ones). You use the prepare MQ Wizard to change the service id. The service id needs to be in the same domain as the MQ Server. Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Heba_MQ |
| Posted: Tue Jun 23, 2020 7:15 am Post subject: |
|
|
Apprentice
Joined: 19 Apr 2020
Posts: 39
|
Yes... the domain user svc_MQM and domain group Domain mqm and the mq server are in the Active Directory same domain...
What else could be missed ?
Thanks
Heba |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Jun 23, 2020 7:30 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Heba_MQ wrote: |
Yes... the domain user svc_MQM and domain group Domain mqm and the mq server are in the Active Directory same domain...
What else could be missed ?
Thanks
Heba |
When you run the wizard, are you running it as user svc_MQM?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Heba_MQ |
| Posted: Tue Jun 23, 2020 8:10 am Post subject: |
|
|
Apprentice
Joined: 19 Apr 2020
Posts: 39
|
Dear exerk,
No, I run it with my windows user id that I used to install the MQ with....
What I understand is that the prepare wizard should adjust the authorization of all the mq folders and start up the MQ service with the svc_MQM after the prepare wizard did the work.
Is this wrong ?
Thanks
Heba |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Jun 23, 2020 8:14 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Heba_MQ wrote: |
| ...No, I run it with my windows user id that I used to install the MQ with... |
Are you a Domain Admin, or does your user id have the necessary level of authorisation to query group membership of other users?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jun 23, 2020 11:27 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Heba_MQ wrote: |
Yes... the domain user svc_MQM and domain group Domain mqm and the mq server are in the Active Directory same domain...
What else could be missed ?
Thanks
Heba |
The 7 local permissions needed by the service id...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Heba_MQ |
| Posted: Wed Jun 24, 2020 12:49 am Post subject: |
|
|
Apprentice
Joined: 19 Apr 2020
Posts: 39
|
Hi Exerk
My user ID that I used to install the MQ with is a local admin on the MQ server only...
With this userid I should launch the prepare wizard and I entered the domain, the domain service account svc_MQM and its password....
The user name specified does not have the authority that IBM Require"
"it must be configured with domain user that has the authority to query the group membership of other users"
the svc_MQM is in the in the group "Domain mqm" and this "Domain mqm" has permission "read group membership" and "read group membershipSAM permissions"
Where is the trick...
Thanks
Heba |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Jun 24, 2020 1:27 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Heba_MQ wrote: |
Hi Exerk
My user ID that I used to install the MQ with is a local admin on the MQ server only...
With this userid I should launch the prepare wizard and I entered the domain, the domain service account svc_MQM and its password....
The user name specified does not have the authority that IBM Require"
"it must be configured with domain user that has the authority to query the group membership of other users"
the svc_MQM is in the in the group "Domain mqm" and this "Domain mqm" has permission "read group membership" and "read group membershipSAM permissions"
Where is the trick...
Thanks
Heba |
There is no trick!
As fjb_saper has already stated, you are probably missing THESE.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Heba_MQ |
| Posted: Mon Jun 29, 2020 2:33 pm Post subject: |
|
|
Apprentice
Joined: 19 Apr 2020
Posts: 39
|
Dears,
We finally got it working....
The active directory team changed this:
Network access: Restrict clients allowed to make remote calls to SAM by granting remote RPC access to SAM for for the domain svc_MQM account...
The Prepare Wizard completed and service started... I was able to start up the qmgr without issues...but of course issues never end...I am about to raise my next question soon...Just wanted to update forum in case anyone else got similar issue....
Many thanks for your help.
Heba |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jun 30, 2020 12:02 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You might also want to set the security stanza in the qm.ini that's unique to windows and applies to your case.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
