| Author |
Message
|
| sarabennet |
 Posted: Tue Jul 16, 2019 5:40 am Post subject: Error moving to AD domain |
 |
|
Novice
Joined: 23 Jun 2019
Posts: 12
|
Hi experts,
We are facing an issue when migrating from local id Windows AD domain for MQ7.5. We are getting the below error on MQ error logs. There was no change done to queue manger permissions other than starting MQ with AD domain id instead of local id. Could you please guide me on this as I am bit new to MQ
CHLAUTH was disabled at the time
AMQ9557: Queue Manager User ID initialization failed.
 |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Jul 16, 2019 5:54 am Post subject: Re: Error moving to AD domain |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| sarabennet wrote: |
| There was no change done to queue manger permissions other than starting MQ with AD domain id instead of local id. |
Why are you trying to migrate from a local id to a domain id, rather that adding the domain id to the local group?
What component is issuing this error? The most common reason for this is that the MQ service is trying to start before the AD service is available, hence the domain id doesn't work.
This is why I always use a local id for services 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jul 16, 2019 8:17 pm Post subject: Re: Error moving to AD domain |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Vitor wrote: |
| sarabennet wrote: |
| There was no change done to queue manger permissions other than starting MQ with AD domain id instead of local id. |
Why are you trying to migrate from a local id to a domain id, rather that adding the domain id to the local group?
What component is issuing this error? The most common reason for this is that the MQ service is trying to start before the AD service is available, hence the domain id doesn't work.
This is why I always use a local id for services |
Don't do that. Use the deferred start option for the services if you must...
And please remember when you change id or password to run it through the prepare MQ Wizard. Also look in the documentation there are specific permissions the AD ID needs to have at the local and domain level.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Jul 17, 2019 5:25 am Post subject: Re: Error moving to AD domain |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| fjb_saper wrote: |
| Vitor wrote: |
| This is why I always use a local id for services |
Don't do that. Use the deferred start option for the services if you must... |
Oh, and that works so reliably. I've done that and made the AD service a pre-requisite for the MQ service and Windoze still tries to start MQ too soon because the AD service signals "I'm up" when it's finished starting, not when it's available for use. So MQ (and SQL Server, and DB2, and WAS, and <insert software name>) all try and validate the domain user while AD is synchronizing with the directory / staring into it's navel / drinking coffee / working out the square root of -1 to 5 decimal places / waiting for my blood pressure to reach critical mass.
| fjb_saper wrote: |
| Also look in the documentation there are specific permissions the AD ID needs to have at the local and domain level. |
This is a good catch. 
I had forgotten (but agree completely) that such a domain user is not a "normal" user but requires a particular set up as my worthy associate points out.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| sarabennet |
| Posted: Wed Jul 17, 2019 10:35 pm Post subject: |
|
|
Novice
Joined: 23 Jun 2019
Posts: 12
|
Thank you all for the inputs.
| Quote: |
| And please remember when you change id or password to run it through the prepare MQ Wizard. Also look in the documentation there are specific permissions the AD ID needs to have at the local and domain level. |
I have gone through the documentation. Will try on this and get back |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Jul 18, 2019 8:33 pm Post subject: Re: Error moving to AD domain |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Vitor wrote: |
| fjb_saper wrote: |
| Vitor wrote: |
| This is why I always use a local id for services |
Don't do that. Use the deferred start option for the services if you must... |
Oh, and that works so reliably. I've done that and made the AD service a pre-requisite for the MQ service and Windoze still tries to start MQ too soon because the AD service signals "I'm up" when it's finished starting, not when it's available for use. So MQ (and SQL Server, and DB2, and WAS, and <insert software name>) all try and validate the domain user while AD is synchronizing with the directory / staring into it's navel / drinking coffee / working out the square root of -1 to 5 decimal places / waiting for my blood pressure to reach critical mass.
| fjb_saper wrote: |
| Also look in the documentation there are specific permissions the AD ID needs to have at the local and domain level. |
This is a good catch.
I had forgotten (but agree completely) that such a domain user is not a "normal" user but requires a particular set up as my worthy associate points out. |
Well there is the standard start up of the service with dependencies, and then you can setup the service for deferred startup (with or without dependencies). It will wait a little bit longer before trying to start up. A windows guru can tell what it is waiting on in this case...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Jul 19, 2019 3:45 am Post subject: Re: Error moving to AD domain |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| fjb_saper wrote: |
| Vitor wrote: |
| fjb_saper wrote: |
| Vitor wrote: |
| This is why I always use a local id for services |
Don't do that. Use the deferred start option for the services if you must... |
Oh, and that works so reliably. I've done that and made the AD service a pre-requisite for the MQ service and Windoze still tries to start MQ too soon because the AD service signals "I'm up" when it's finished starting, not when it's available for use. So MQ (and SQL Server, and DB2, and WAS, and <insert software name>) all try and validate the domain user while AD is synchronizing with the directory / staring into it's navel / drinking coffee / working out the square root of -1 to 5 decimal places / waiting for my blood pressure to reach critical mass.
| fjb_saper wrote: |
| Also look in the documentation there are specific permissions the AD ID needs to have at the local and domain level. |
This is a good catch.
I had forgotten (but agree completely) that such a domain user is not a "normal" user but requires a particular set up as my worthy associate points out. |
Well there is the standard start up of the service with dependencies, and then you can setup the service for deferred startup (with or without dependencies). It will wait a little bit longer before trying to start up. A windows guru can tell what it is waiting on in this case... |
I'll stick with Plan A - avoid putting queue managers on Windoze. 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| sarabennet |
| Posted: Thu Jul 25, 2019 9:33 pm Post subject: |
|
|
Novice
Joined: 23 Jun 2019
Posts: 12
|
7/26/2019 1:47:44 - Process(2222.44) User(MQ_ADM) Program(amqzlaa0.exe)
Host(ABCDEF) Installation(Installation1)
VRMF(7.5.0.5) QMgr(QMADM)
AMQ8079: Access was denied when attempting to retrieve group membership
information for user 'appuser@AD1'.
EXPLANATION:
WebSphere MQ, running with the authority of user 'MQ_ADM@AD2', was
unable to retrieve group membership information for the specified user.
ACTION:
Ensure Active Directory access permissions allow user 'MQ_ADM@AD2' to
read group memberships for user 'appuser@AD1'. To retrieve group
membership information for a domain user, MQ must run with the authority of a
domain user and a domain controller must be available.
AMQ9557: Queue Manager User ID initialization failed.
EXPLANATION:
The call to initialize the User ID failed with CompCode 2 and Reason 2063.
ACTION:
Correct the error and try again. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jul 25, 2019 10:58 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| sarabennet wrote: |
...WebSphere MQ, running with the authority of user 'MQ_ADM@AD2', was unable to retrieve group membership information for the specified user.
ACTION:
Ensure Active Directory access permissions allow user 'MQ_ADM@AD2' to
read group memberships for user 'appuser@AD1'... |
This suggests that the IDs are in different domains, and if so...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Jul 26, 2019 4:53 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
The MQ Service ID must have permission to read the group membership on both domains!
And then you may need to configure access permissions for both domains...
Do you cross polinate your domains?
I.e. Group mqusers in domain A has users from both domain A and B?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| sarabennet |
| Posted: Sat Jul 27, 2019 9:25 am Post subject: |
|
|
Novice
Joined: 23 Jun 2019
Posts: 12
|
| Quote: |
| The MQ Service ID must have permission to read the group membership on both domains! |
Yes we have given ReadGroupMembership permissions for the MQ_ADM@AD1 id with which we have started MQ.
| Quote: |
| And then you may need to configure access permissions for both domains... |
How do we do that ?
| Quote: |
| Do you cross polinate your domains? |
not sure what that means 
| Quote: |
I.e. Group mqusers in domain A has users from both domain A and B?
|
Yes. |
|
| Back to top |
|
|
| exerk |
| Posted: Sun Jul 28, 2019 10:24 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| sarabennet wrote: |
| Quote: |
| And then you may need to configure access permissions for both domains... |
How do we do that ? |
Talk to your domain admins, it's their job to set up cross-domain trusts - assuming your site allows it.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Jul 28, 2019 12:43 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| sarabennet wrote: |
| Quote: |
| The MQ Service ID must have permission to read the group membership on both domains! |
Yes we have given ReadGroupMembership permissions for the MQ_ADM@AD1 id with which we have started MQ. |
So did you grant that permission to MQ_ADM@AD1 only in AD1 or also in AD2?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
