ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportIBM Prepare Wizard - Help Please

Post new topicReply to topic
IBM Prepare Wizard - Help Please View previous topic :: View next topic
Author Message
Heba_MQ
PostPosted: Tue Jun 23, 2020 3:38 am Post subject: IBM Prepare Wizard - Help Please Reply with quote

Apprentice

Joined: 19 Apr 2020
Posts: 27

Dears,

We are trying to rum mq prepare wizard and use an active directory service account to start up mq (we are in windows 2019) (MQ 9.1.5)

We always get this error :
"The user name specified does not have the authority that IBM Require"
"it must be configured with domain user that has the authority to query the group membership of other users"

We have created the AD user and group as per IBM Recommendations

- We create a Domain mqm group
- We give it read group membership and read group membershipSAM permissions
- We created user svc_MQM in this group
- When MQ is installed both the AD user svc_MQM and AD group Domain MQM got added automatically to local mqm group

What else should I check

Thanks
Heba
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Jun 23, 2020 5:30 am Post subject: Re: IBM Prepare Wizard - Help Please Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20419
Location: LI,NY

Heba_MQ wrote:
Dears,

We are trying to rum mq prepare wizard and use an active directory service account to start up mq (we are in windows 2019) (MQ 9.1.5)

We always get this error :
"The user name specified does not have the authority that IBM Require"
"it must be configured with domain user that has the authority to query the group membership of other users"

We have created the AD user and group as per IBM Recommendations

- We create a Domain mqm group
- We give it read group membership and read group membershipSAM permissions
- We created user svc_MQM in this group
- When MQ is installed both the AD user svc_MQM and AD group Domain MQM got added automatically to local mqm group

What else should I check

Thanks
Heba

So the MQ Service user, (the one running the MQ service in the services.msc) is the one needing all those permissions plus a slew of permissions on the local server (about 7 different ones). You use the prepare MQ Wizard to change the service id. The service id needs to be in the same domain as the MQ Server. Enjoy
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Heba_MQ
PostPosted: Tue Jun 23, 2020 7:15 am Post subject: Reply with quote

Apprentice

Joined: 19 Apr 2020
Posts: 27

Yes... the domain user svc_MQM and domain group Domain mqm and the mq server are in the Active Directory same domain...

What else could be missed ?

Thanks
Heba
Back to top
View user's profile Send private message
exerk
PostPosted: Tue Jun 23, 2020 7:30 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6206

Heba_MQ wrote:
Yes... the domain user svc_MQM and domain group Domain mqm and the mq server are in the Active Directory same domain...

What else could be missed ?

Thanks
Heba

When you run the wizard, are you running it as user svc_MQM?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
Heba_MQ
PostPosted: Tue Jun 23, 2020 8:10 am Post subject: Reply with quote

Apprentice

Joined: 19 Apr 2020
Posts: 27

Dear exerk,

No, I run it with my windows user id that I used to install the MQ with....

What I understand is that the prepare wizard should adjust the authorization of all the mq folders and start up the MQ service with the svc_MQM after the prepare wizard did the work.

Is this wrong ?

Thanks
Heba
Back to top
View user's profile Send private message
exerk
PostPosted: Tue Jun 23, 2020 8:14 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6206

Heba_MQ wrote:
...No, I run it with my windows user id that I used to install the MQ with...

Are you a Domain Admin, or does your user id have the necessary level of authorisation to query group membership of other users?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Jun 23, 2020 11:27 am Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20419
Location: LI,NY

Heba_MQ wrote:
Yes... the domain user svc_MQM and domain group Domain mqm and the mq server are in the Active Directory same domain...

What else could be missed ?

Thanks
Heba

The 7 local permissions needed by the service id...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Heba_MQ
PostPosted: Wed Jun 24, 2020 12:49 am Post subject: Reply with quote

Apprentice

Joined: 19 Apr 2020
Posts: 27

Hi Exerk

My user ID that I used to install the MQ with is a local admin on the MQ server only...

With this userid I should launch the prepare wizard and I entered the domain, the domain service account svc_MQM and its password....

The user name specified does not have the authority that IBM Require"
"it must be configured with domain user that has the authority to query the group membership of other users"

the svc_MQM is in the in the group "Domain mqm" and this "Domain mqm" has permission "read group membership" and "read group membershipSAM permissions"

Where is the trick...

Thanks
Heba
Back to top
View user's profile Send private message
exerk
PostPosted: Wed Jun 24, 2020 1:27 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6206

Heba_MQ wrote:
Hi Exerk

My user ID that I used to install the MQ with is a local admin on the MQ server only...

With this userid I should launch the prepare wizard and I entered the domain, the domain service account svc_MQM and its password....

The user name specified does not have the authority that IBM Require"
"it must be configured with domain user that has the authority to query the group membership of other users"

the svc_MQM is in the in the group "Domain mqm" and this "Domain mqm" has permission "read group membership" and "read group membershipSAM permissions"

Where is the trick...

Thanks
Heba

There is no trick!

As fjb_saper has already stated, you are probably missing THESE.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
Heba_MQ
PostPosted: Mon Jun 29, 2020 2:33 pm Post subject: Reply with quote

Apprentice

Joined: 19 Apr 2020
Posts: 27

Dears,

We finally got it working....

The active directory team changed this:
Network access: Restrict clients allowed to make remote calls to SAM by granting remote RPC access to SAM for for the domain svc_MQM account...

The Prepare Wizard completed and service started... I was able to start up the qmgr without issues...but of course issues never end...I am about to raise my next question soon...Just wanted to update forum in case anyone else got similar issue....

Many thanks for your help.

Heba
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Jun 30, 2020 12:02 pm Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20419
Location: LI,NY

You might also want to set the security stanza in the qm.ini that's unique to windows and applies to your case.

_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportIBM Prepare Wizard - Help Please
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.