| Author |
Message
|
| Heba_MQ |
 Posted: Mon Jun 29, 2020 3:39 pm Post subject: Security disabled... Why I am getting 2035...what to do |
 |
|
Apprentice
Joined: 19 Apr 2020
Posts: 39
|
Dears,
Qmgr is running as windows service with cdev\svc_MQM active directory account...it was before running with MUSR_MQADMIN
I have a client application that must use MQSERVER env var to connect to queue manager... It can not supply user name and password for now
Therefore I have disabled authorization as below:
ALTER QMGR CHLAUTH(DISABLED)
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) +
AUTHTYPE(IDPWOS) CHCKCLNT(NONE)
ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWLDAP) +
AUTHTYPE(IDPWOS) CHCKCLNT(NONE)
REFRESH SECURITY
The client is using the srvcon channel app.client to connect
Now the client application is not able to connect any more...it is giving the below error
----- cmqxrsrv.c : 2575 -------------------------------------------------------
6/30/2020 03:36:44 - Process(70540.403) User(svc_MQM) Program(amqzlaa0.exe)
Host(D1WVDESTMQS01) Installation(Installation1)
VRMF(9.1.5.0) QMgr(QMAMFD01)
Time(2020-06-29T23:36:44.514Z)
CommentInsert1(S-1-5-21-3143757116-208881770-900181659-2865)
CommentInsert2(cdev\svc_mqm)
AMQ8074W: Authorization failed as the SID
'S-1-5-21-3143757116-208881770-900181659-2865' does not match the entity
'cdev\svc_mqm'.
EXPLANATION:
The Object Authority Manager received inconsistent data - the supplied SID does
not match that of the supplied entity information.
ACTION:
Ensure that the application is supplying valid entity and SID information.
----- amqzfubn.c : 2293 -------------------------------------------------------
6/30/2020 03:36:44 - Process(13388.15988) User(svc_MQM) Program(amqrmppa.exe)
Host(D1WVDESTMQS01) Installation(Installation1)
VRMF(9.1.5.0) QMgr(QMAMFD01)
Time(2020-06-29T23:36:44.514Z)
ArithInsert1(2) ArithInsert2(2035)
CommentInsert1(cdev\svc_MQM)
AMQ9557E: Queue Manager User ID initialization failed for 'cdev\svc_MQM'.
EXPLANATION:
The call to initialize the User ID 'cdev\svc_MQM' failed with CompCode 2 and
Reason 2035. If an MQCSP block was used, the User ID in the MQCSP block was ''.
If a userID flow was used, the User ID in the UID header was '' and any CHLAUTH
rules applied prior to user adoption were evaluated case-sensitively against
this value.
ACTION:
Correct the error and try again.
----- cmqxrsrv.c : 2575 -------------------------------------------------------
Please help me
Thanks
Heba |
|
| Back to top |
|
 |
| hughson |
| Posted: Mon Jun 29, 2020 9:49 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
Has the user ID cdev\svc_MQM been deleted and redefined recently?
Is the client application running on Windows? If yes, what is the user ID it is running with - as it will send that and the SID to the queue manager as part of the connection internal flows.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| Heba_MQ |
| Posted: Tue Jun 30, 2020 4:34 am Post subject: |
|
|
Apprentice
Joined: 19 Apr 2020
Posts: 39
|
Dear Morag,
I am using my own userid to login to a windows server to run the rfhutilc.exe to query the Queues on the queue manager...
Every thing was working fine with MUSR_MQADMIN untill we ran the prepare wizard and used the AD account svc_MQM
Thanks
Heba |
|
| Back to top |
|
|
| hughson |
| Posted: Wed Jul 01, 2020 1:11 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| hughson wrote: |
| Has the user ID cdev\svc_MQM been deleted and redefined recently? |
And what about this question?
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| Heba_MQ |
| Posted: Wed Jul 01, 2020 1:57 am Post subject: |
|
|
Apprentice
Joined: 19 Apr 2020
Posts: 39
|
Dear Morag
cdev\svc_MQM was not deleted...
It is an active directory user and it should be the service account that we use to run the MQ on windows (same as mqm in linux)
What happened is that the prepare wizard was giving me issues to complete "was giving that the user svc_MQM is not able to query group memberships of other users" and I had to keep service running with MUSR_MQADMIN...
We checked with AD team and the svc_MQM has all the needed Authorizations/permissions required by IBM.
after sometime, AD team allows this policy "remote RPC access to SAM
for the CDEV\svc_MQM and asked me to try"
When I tried the prepare wizard works fine... and service started with svc_MQM and Queue Manager started fine
 - I was happy....But after that remote connections from client did not work... [/b]
Thanks
Heba |
|
| Back to top |
|
|
| hughson |
| Posted: Wed Jul 01, 2020 2:11 am Post subject: Re: Security disabled... Why I am getting 2035...what to do |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| Heba_MQ wrote: |
AMQ8074W: Authorization failed as the SID
'S-1-5-21-3143757116-208881770-900181659-2865' does not match the entity
'cdev\svc_mqm'. |
OK - so is this error telling the truth or not? What is the SID for user id 'cdev\svc_mqm' on the queue manager machine, and just for interests sake, check the same thing on the client machine, perhaps the SID is from there.
I found this command lists all the SIDs on a machine, but perhaps there are other ways too.
| Code: |
| wmic useraccount get name,sid |
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jul 01, 2020 4:28 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
also you need to do a refresh security type(connauth).
The refresh security you did will not do.
run
| Code: |
| amqmdain reg qmname -c display -s security -v * |
and let us know the results...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
