|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
 |
|
Triggering (not) on Win2K - permissions?? |
« View previous topic :: View next topic » |
Author |
Message
|
scott9 |
Posted: Fri Jan 16, 2004 12:59 pm Post subject: Triggering (not) on Win2K - permissions?? |
|
|
Acolyte
Joined: 11 Jul 2002 Posts: 62 Location: Sacramento,CA
|
Question: If MUSR_MQADMIN doesn't have the necessary authority to trigger applications, should we still be able to trigger manually through the MMC GUI using an administrator account?
Triggering doesn't work automatically on our Win2K box (5.3 CSD05), but it works every time we manually stop & start the trigger through the GUI using an administrator account. We have everything set up correctly (so we think). No errors are generated, no Windows events, no nothing! It just doesn't work automatically; however, it works every time we manually stop & start the trigger. I'm thinking that MQ is using the interactive users (administrator in this case) permissions to trigger the process, instead of MUSR_MQADMIN. Odd?? |
|
Back to top |
|
 |
JasonE |
Posted: Fri Jan 16, 2004 1:50 pm Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003 Posts: 1220 Location: Hursley
|
Quote: |
Question: If MUSR_MQADMIN doesn't have the necessary authority to trigger applications, should we still be able to trigger manually through the MMC GUI using an administrator account? |
No - If you are starting the trigger monitor through the MMC gui then it runs under the userid MQ is configured to run under, by default MUSR_MQADMIN.
Quote: |
Triggering doesn't work automatically on our Win2K box (5.3 CSD05), but it works every time we manually stop & start the trigger through the GUI using an administrator account |
.
Quote: |
however, it works every time we manually stop & start the trigger |
.
Ok, lets try to clear some things up, bear with me.
IF you start the trigger monitor from the command line then it runs as the signed on userid, and child processes will be started under your userid
If you start it through the GUI, regardless of who you are logged on with, the runmqtrm process will run under the MQ userid, and so will anything it launches... Unless... If you set up in dcomcnfg under the identity tab of the MQSeries object something different (you can configure it to use the interactive user). Make sure that userid is in the mqm group too (I doubt anything would work if it wasnt).
Use process explorer (www.sysinternals.com) to see what userid runmqtrm is running under, and compare to dcomcnfg settings.
One question - Are you sure it is failing in the way you state. Does it always only ever work once (which can be the problem if the triggered app doesnt ever terminate)?
I have seen numerous problems with triggering but not as you describe. The 'normal' problem is that musr_mqadmin doesnt have read access to the boot drive root dir and the root of the drive containing the app - something worth checking (Its an o/s restriction, not MQ's).
Finally, is your machine in a domain or staqndalone? If domain, is it an active directory domain, and if so you might need to look at the delegate authority setup (See quick beginnings guide under win2000 setup). |
|
Back to top |
|
 |
scott9 |
Posted: Fri Jan 16, 2004 2:46 pm Post subject: Problem resolved |
|
|
Acolyte
Joined: 11 Jul 2002 Posts: 62 Location: Sacramento,CA
|
We have since resolved our problem by adding domainMQM to the local administrators group. It is as you stated, MUSR_MQADMIN didn't have privileges to the boot drive. The odd thing is that (before we did this) the process triggered when we right-clicked and selected 'start trigger' using an administrator account.
It didn't work when we subsequently added messages while it was already running. Most likely, because MUSR_MQADMIN didn't have sufficient privileges. This almost leads me to believe that it uses the environment of the user upon 'initiation' of the trigger, but subsequently uses MUSR_MQADMIN. It sounds like nonsense, but why else would it work at all?
To answer your question, this server is part of a domain. We've supplied the security team with the requirements, but we can't see the configuration for ourselves. We just experience weird problems, like this one and try to figure it out.  |
|
Back to top |
|
 |
JasonE |
Posted: Fri Jan 16, 2004 3:32 pm Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003 Posts: 1220 Location: Hursley
|
Added domainMQM to the local administrators group
Quote: |
Personally I dont like this, as it means the qmgr pgms have admin rights to your machine.
I dont know why it worked when you clicked start monitor. Process explorer will prove what userid the trigger monitor starts under if you want to confirm the differences! Chances are it hung doing the first one, and never got around to subsequent ones!
If you are in a active directory domain, similar issues can arise if you havent granted delegate authority to the user MQ is running under. By default Administrators have delegate authority so this could be the other reason you change fixed it. Look in the Quick beginnings about the domain userid, granting it that right and then using it for MQ - you shouldnt need admin rights for MQ unless you want to for your own reasons.
|
|
|
Back to top |
|
 |
|
|
 |
|
Page 1 of 1 |
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|
|
|