| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Security Problem (win2k + winXP domain users) |
« View previous topic :: View next topic » |
| Author |
Message
|
| fschofer |
 Posted: Tue Oct 05, 2004 12:57 am Post subject: Security Problem (win2k + winXP domain users) |
 |
|
Knight
Joined: 02 Jul 2001
Posts: 524
Location: Mainz, Germany
|
Hi,
i am running MQ Server (CSD7) on a win2k box which is part of domain xyz.
The MQ service runs under the lcoal user MUSR_MQADMIN.
The user abc is defined as local user and a member of the group mqm.
The domain xyz user abc is also a member of mqm.
I have a second box which runs winXP, where i am logged in as domain xyz user abc.
When i try to connect to the win2k box using mqclient or MQExplorer i get a
security error (2035 / AMQ4036).
In the event log of the win2k box i see a warning which tells me
that the user MUSR_MQADMIN@win2kbox is not able to retrieve
group memebership informations for the user abc@xyz
and that i have to run MQ under a domain user.
Is it possible to configure MQ on the win2k box so that
it does not try to request security configuration from the domain controller
and only use the local group mqm for access rights.
If so please tell me how.
I do not want to add a MCA user to the client channel.
Thanks
Frank |
|
| Back to top |
|
 |
| JasonE |
| Posted: Tue Oct 05, 2004 1:01 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
| Run MQ under a domain userid as per the instructions in the quick beginnings. MUSR_MQADMIN is not authorized (in active directory domains) to query the group membership of domain uiserids. It needs the delegate authority to acheive this. |
|
| Back to top |
|
|
| fschofer |
| Posted: Tue Oct 05, 2004 1:29 am Post subject: |
|
|
Knight
Joined: 02 Jul 2001
Posts: 524
Location: Mainz, Germany
|
Hi Jason,
i cannot use a domain user because we have the requirement
to change the users password every 30 days.
Greetings
Frank |
|
| Back to top |
|
|
| JasonE |
| Posted: Tue Oct 05, 2004 1:41 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
Ok, no probs. It does mean you cant authorize any domain userid inside MQ then, as you have found!!!
Microsoft enforce a requirement that in order to be able to find out information on a domain userid in an active directory domain, then the id doing the query needs to be given delegate authority. There is a way to authorize ALL userids to have this, but given the fact you cant have pwds for longer than 30 days, I doubt they will want to expose another security issue such as this for everyone!
The *only* solution is that the domain controller knows the inbound userid doing the query (ie MQ runs under a domain id) and this particular userid is given that specific user right (ie delegate authority).
The alternative is, as I said, to only authenticate local users and always fail any inbound domain id - probably not very helpful! |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
