1
2
I am developing an application that is using WebSphere MQ v6.0. WebSphere MQ is currently not working due to the following issue:
- WebSphere MQ service runs under local user "MUSR_MQADMIN" in the local group "mqm"
- I attempt to use the service using my own account, BIZ\noahz
- MUSR_MQADMIN needs to check if BIZ\noahz is in local group "mqm"
- MUSR_MQADMIN does not have permission to read the Active Directory group membership of BIZ\noahz
- The following error appears in the MQ log file:
----- amqzfubn.c : 3582 -------------------------------------------------------
1/31/2011 18:51:32 - Process(704.1105) User(MUSR_MQADMIN) Program(amqzlaa0.exe) AMQ8079: Access was denied when attempting to retrieve group membership information for user 'noahz@biz'.
EXPLANATION: WebSphere MQ, running with the authority of user 'musr_mqadmin@noahz-biz', was unable to retrieve group membership information for the specified user. ACTION: Ensure Active Directory access permissions allow user 'musr_mqadmin@noahz-biz' to read group memberships for user 'noahz@biz'. To retrieve group membership information for a domain user, MQ must run with the authority of a domain user.
----- amqzfubn.c : 3582 -------------------------------------------------------
I found more information is here on IBM's web site: http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/index.jsp?topic=/com.ibm.mq.amqtac.doc/wq10830_.htm
I don't have Active Directory admin rights for my Windows machine, so my question is:
Is there anything else I can do to resolve (or work-around) this issue and get WebSphere MQ working for me again? For example, can I disable this security check in WebSphere MQ?
UPDATE Here's the response I got from IBM support:
Usually, these errors indicate a issue with the userid the MQ service is configured to run under in dcom. If you are unsure of what userid this is, you can check with the following:
Open a command prompt and type: dcomcnfg. Once the Component Services MMC opens, double-click "Component Services" double-click "Computers" double-click "My Computer" double-click "DCOM Config". In the window, look for "IBM MQSeries Services", and on it right click, then choose properties. Click on the "Identity" tab. It should show "this user" followed by a id.
Please make sure the MQ services id (from the Identity tab above) has the needed rights locally. Grant it any rights that are missing for the following:
Open Start->Programs->Administrative Tools->Local Security Settings.
Open up Local Policies then User Rights Assignments, double click to check that the following rights are set:
- Logon as batch job
- Logon as service
- Shut down the system
- Debug programs
- Increase quotas
- Act as part of the operating system
- Bypass traverse checking
- Replace a process level token
The end result was that my IT department and InfoSec decided that WebSphere MQ is "server software" and therefore is not allowed on individual work stations, so I never even got to test out the above solution!
It is worth noting that the solutions given by Rob, AJ and Eduardo address different problems than the one in the question. They work by making sure that the ID presented to MQ is one that MQ can resolve locally. The original problem was that the ID presented was not a local ID and MQ needs to query the domain to get group info. To get MQ running on your workstation those solutions are fine. If what you need is to make sure the Production QMgr doesn't crater because a domain ID was presented, then follow the advice from IBM or my response to grant the needed rights to the MQ svc acct. – T.Rob – 2015-10-14T23:15:22.287
Please see update below. Not sure if that would work for you but it's worth noting for other users with a similar problem. If you care to pass along this experience to the WMQ dev lab, please submit a WMQ Requirement at http://bit.ly/WMQReq which describes how you might want that problem addressed - i.e. disable security at install time, WMQ equivalent of HTACCESS file, LDAP repository, or whatever would work for you.
– T.Rob – 2011-12-06T16:29:48.310