ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » MQ Explorer Cross-Forest Authentication with MQ 8.0.0.3

Post new topic  Reply to topic
 MQ Explorer Cross-Forest Authentication with MQ 8.0.0.3 « View previous topic :: View next topic » 
Author Message
Zodiac42
PostPosted: Wed Aug 31, 2016 6:36 am    Post subject: MQ Explorer Cross-Forest Authentication with MQ 8.0.0.3 Reply with quote

Newbie

Joined: 31 Aug 2016
Posts: 6
Location: Linz, AT

Hi all,
has any one ever tried accessing a Windows Queue Manager via MQ Explorer in another subdomain of your organization?

Here's my situation:
We have a rather complex Windows domain forest with two adjacent root domains and several subdomains each. Admin Accounts are always located in one of the root domains, whereas the users workstations are in one subdomain and the resources (a.k.a the servers) are located in another subdomain of the same forest.
According to our security staff I have to allow access to resources only to administrators. Which puts me in the following dilemma
AdminUser A in domain z.local has to start MQ Explorer on his workstation in subdomain a.z.local and access the queue manager in subdomain b.z.local.
(does this even make sense the way I am describing it??)
So, to accomplish this I've set up an IDPWLDAP AuthInfo object on one of my Test QMGRs. First things first: It doesn't work.
After lots of tracing and analyzing log files it seems, that whatever I configure on the AuthInfo object the answer from LDAP is always either user not found (ldap_search_failed), no SID returned, or ldap_get_values_failed. I've tried querying LDAP with the UPN (which is to long for the "equivalent short user" field (limited to 12 chars). I've also tried the query with the sAMAccountName, which is less than 12 characters, but has no domain information, so... guess what... MQ doesn't use the provided domain info on the IDPWLDAP AuthInfo object, but instead uses the servers own domain, in which there is no such user...
I'm quite annoyed by this, as you can probably guess, by the way I'm writing this, but not even IBM support can provide me with a reasonable solution. So my basic question is: Has anyone ever tried to configure this, and if yes, HOW????

Hope this all makes sense.

Thank you all for reading this far.

Thanks a lot in advance for any suggestions.

cheers, Pat
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Aug 31, 2016 7:00 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

Are your Windows admins worried about downsizing or redundancy? Receiving treatment for paranoia?

You get points for:

Zodiac42 wrote:
We have a rather complex Windows domain forest


You're a lock for the shortlist in "Understatement of the Year" and you can count on my vote.

What do your Windows admins suggest? What does MSoft support suggest (apart from upgrading everything and rebooting until the magic comes back)?

You might want to consider an alternative management tool; one that handles the kind of cross-domain authentication you need internally and shields MQ from it.

But it sounds like your Windows people have tied you in knots.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Wed Aug 31, 2016 7:12 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

it sounds like you're much better off using some kind of channel authentication rules, to map users in one subdomain to users in the other, or at least to map users that are allowed to connect to users on the local machine.

Then you don't (really) have to worry about dealing with cross forest authentication. The MQ server knows about users in it's forest, and the admin user running MQExplorer knows about the other.

You should be (?) able to use chlauth rules to disallow non-admin users (based on ldap dn) from connecting to any channels, and then map users that are allowed to connect to local users on the mq server, or users in the other forest (if there are any) or to users in the root.

Also, ask the windows admins how they are handling this with other systems...
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
Zodiac42
PostPosted: Thu Sep 01, 2016 4:51 am    Post subject: Reply with quote

Newbie

Joined: 31 Aug 2016
Posts: 6
Location: Linz, AT

Thanks mqjeff,

I had never thought of using channel authentication for this.
I'll try that next.

Other systems can obviously cope with that, because I had to explain "what the problem was with my MQ setup". The answer was - simply put - that they had never got such a request, because it just simply works with other applications - why wouldn't it??
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Sep 01, 2016 9:47 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20695
Location: LI,NY

Does the MQ Service id have cross domain trust?
Can it query domain group membership in all domains?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Zodiac42
PostPosted: Thu Sep 01, 2016 11:56 pm    Post subject: Reply with quote

Newbie

Joined: 31 Aug 2016
Posts: 6
Location: Linz, AT

fjb_saper wrote:
Does the MQ Service id have cross domain trust?

No, MQ runs with "Local System" privileges
fjb_saper wrote:
Can it query domain group membership in all domains?

LDAP queries are authenticated with a admin level service user, which has all the necessary rights and privileges.
I forgot to mention, that an appropriate LDAP-object is returned from AD, but MQ doesn't recognize it as my MQ admin account (even though it is member of the local mqm group)
Back to top
View user's profile Send private message
mqjeff
PostPosted: Fri Sep 02, 2016 3:58 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

Zodiac42 wrote:
fjb_saper wrote:
Does the MQ Service id have cross domain trust?

No, MQ runs with "Local System" privileges


You can, unless I'm remembering wrong, change which user the MQ Service runs under.

This could then be a user that does have cross domain trust. And is in the local mqm group.
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
Zodiac42
PostPosted: Fri Oct 21, 2016 6:34 am    Post subject: Reply with quote

Newbie

Joined: 31 Aug 2016
Posts: 6
Location: Linz, AT

Hooray, we solved it!

So long story short: It works with MQ 9.0 and up.

Also you have to use server local groups in which the users have to be direct members (no group nesting).

With this in mind I was able to authenticate a user over LDAP across our whole forest.

Not the most elegant way, but there is still room for improvement.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » MQ Explorer Cross-Forest Authentication with MQ 8.0.0.3
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.