ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » Permission error

Post new topic  Reply to topic
 Permission error « View previous topic :: View next topic » 
Author Message
sabu21s
PostPosted: Wed Dec 10, 2003 11:41 am    Post subject: Permission error Reply with quote

Apprentice

Joined: 01 Oct 2003
Posts: 27
Location: Atlanta

Hi ,
I have installed Mqseries 5.1 on a windows Server in a domain. When I create the Queue manager and then try connecting it gives me AMQ4036 error and when i check the even Viewer this is the Message:

Description:
Access was denied when attempting to retrieve group membership information for user 'exbatl@crossmark'.

MQSeries, running with the authority of user 'musr_mqadmin@athens', was unable to retrieve group membership information for the specified user.

Ensure Active Directory access permissions allow user 'musr_mqadmin@athens' to read group memberships for user 'exbatl@crossmark'. To retrieve group membership information for a domain user, MQSeries must run with the authority of a domain user.

Now since this Server is a local server withing the domain, I went to the PDC and gave al the permission, but still I am having this same error.
Any help or suggestions would be apreciated.
Thanks
Sabu S
Back to top
View user's profile Send private message MSN Messenger
JasonE
PostPosted: Wed Dec 10, 2003 2:42 pm    Post subject: Reply with quote

Grand Master

Joined: 03 Nov 2003
Posts: 1220
Location: Hursley

Look in the 5.3 manuals (or 5.2.1) about delegate authority, they should be online somewhere. The problem is the created userid is not known to the domain controller, and hence due to a change in the default rights in win2k active directory, MQ cannot query group memberships unless explicitly authorized.

Summary: Define a domain userid, put it in a domain globsal group "Domain MQM", and ensure Domain MQM is added to the local mqm group. Give that Domain MQM group delegate authority on the PDC, and then configure MQ to run under that userid (dcomcnfg, identity tab for MQ)

However the fact you are installing a NEW 5.1 server makes me shiver - it went out of support years ago!
Back to top
View user's profile Send private message
sabu21s
PostPosted: Wed Dec 10, 2003 3:29 pm    Post subject: Reply with quote

Apprentice

Joined: 01 Oct 2003
Posts: 27
Location: Atlanta

Hey Jason,
I tried what you said but still it give me that same error that I am not authorized.. I did the delegate part from this link..

http://www-3.ibm.com/software/integration/mqfamily/support/faqs/w2k.html#w2kfaq1
OR

To use the Active Directory Wizard to allow 'Domain mqm' group members to read group membership information of an arbitrary user:

In Active Directory Users and Computers, select the domain name, eg mqdev.hursley.ibm.com, and press the right mouse button.
Select "Delegate Control ...", then press [Next].
Select Groups and Users (press [Add], highlight "Domain mqm" and press [Add]), press [OK].
Highlight the Domain mqm selection and press [Next].
Check the "Create a custom task to delegate" and press [Next].
Check "Only the following objects in the folder" and then search down under object types for "User objects" (It is alphabetical, so just go to the last one).
Check User Objects and press [Next].
Check "Property-specific" and then check search down (these are sorted alphabetically on the second word) to:

Read Group Membership
Read groupMembershipSAM

Check both of these, then press [Next].
Press [Finish].
Thanks
Sabu
Back to top
View user's profile Send private message MSN Messenger
JasonE
PostPosted: Thu Dec 11, 2003 2:09 am    Post subject: Reply with quote

Grand Master

Joined: 03 Nov 2003
Posts: 1220
Location: Hursley

Just to confirm, did you do the following?

Created a domain userid
Put domain userid in 'Domain mqm'
Ensure 'Domain mqm' is in the local mqm group on the server in question
Configure MQ to run under that Domain userid (dcomcnfg)
Restart the machine?

Whats the error message look like now?
Back to top
View user's profile Send private message
sabu21s
PostPosted: Thu Dec 11, 2003 7:27 am    Post subject: Got it .. thanks Reply with quote

Apprentice

Joined: 01 Oct 2003
Posts: 27
Location: Atlanta

Hey Jason,
Thanks a lot for your help. I did as you said and the other thing what I did was, went into the local server and did the following

right-click on My Computer and select Manage. Expand
Local Users and Groups, then click on Users and there I made sure the domain user is added. Then I did the Dcomcnfg and did some changes on the MQ tab.

Thanks
Sabu21s
Back to top
View user's profile Send private message MSN Messenger
JasonE
PostPosted: Thu Dec 11, 2003 8:06 am    Post subject: Reply with quote

Grand Master

Joined: 03 Nov 2003
Posts: 1220
Location: Hursley

...and does it work now?
Back to top
View user's profile Send private message
sabu21s
PostPosted: Thu Dec 11, 2003 8:43 am    Post subject: Yes it does.... Reply with quote

Apprentice

Joined: 01 Oct 2003
Posts: 27
Location: Atlanta

Yes.. Works great....
I have seen a lot of FAQ on this topic, and I wish this would be helpful for the other folks who may face this same problem. Title should be " Permissions/Auth issues on a Server within a domain on WIN2k"

Thanks again
Sabu
Back to top
View user's profile Send private message MSN Messenger
JasonE
PostPosted: Thu Dec 11, 2003 10:11 am    Post subject: Reply with quote

Grand Master

Joined: 03 Nov 2003
Posts: 1220
Location: Hursley

You should try working in MQ service

The documentation for this was in the 5.2.1 quick beginnings as an appendix and moved into the main docs for 5.3, but I do agree it isnt clear.

FYI The domain id issue is required for domains using active directory which was not migrated from an NT 4 domain.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » Permission error
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.