WebSphere MQ running under local account / group cannot read group memberships for Active Directory user. Workaround or alternative resolution?
- by noahz
I am developing an application that is using WebSphere MQ v6.0. WebSphere MQ is currently not working due to the following issue:
WebSphere MQ service runs under local user "MUSR_MQADMIN" in the local group "mqm"
I attempt to use the service using my own account, BIZ\noahz
MUSR_MQADMIN needs to check if BIZ\noahz is in local group "mqm"
MUSR_MQADMIN does not have permission to read the Active Directory group membership of BIZ\noahz
The following error appears in the MQ log file:
----- amqzfubn.c : 3582 -------------------------------------------------------
1/31/2011 18:51:32 - Process(704.1105) User(MUSR_MQADMIN) Program(amqzlaa0.exe)
AMQ8079: Access was denied when attempting to retrieve group membership
information for user 'noahz@biz'.
EXPLANATION:
WebSphere MQ, running with the authority of user 'musr_mqadmin@noahz-biz',
was unable to retrieve group membership information for the specified user.
ACTION:
Ensure Active Directory access permissions allow user
'musr_mqadmin@noahz-biz' to read group memberships for user 'noahz@biz'. To
retrieve group membership information for a domain user, MQ must run with the
authority of a domain user.
----- amqzfubn.c : 3582 -------------------------------------------------------
I found more information is here on IBM's web site:
http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/index.jsp?topic=/com.ibm.mq.amqtac.doc/wq10830_.htm
I don't have Active Directory admin rights for my Windows machine, so my question is:
Is there anything else I can do to resolve (or work-around) this issue and get WebSphere MQ working for me again? For example, can I disable this security check in WebSphere MQ?
