I'm not a Windows domain admin, so I can't diagnose why the account doesn't show up.
Create a group called 'domain mqm' on the domain. (This can have a different name, but it works better if it is called 'domain mqm').
Create a user (whatever name you want) on the domain for the MQ server (lets call it mqservice). Make it a member of 'domain mqm', and give it the rights as specified in the manual. Make sure you know the password to the mqservice account.
As a domain user, run the Prepare IBM MQ Wizard. Configure the MQ service to use the domain account mqservice (which is why you need to know the password).
If you get an error on the wizard, use the Services plugin in Windows to edit the IBM MQ (Installation x) service definition and set the mqservice account and password in the Log On tab. Then run the Wizard again, and it should work this time. Stop and restart the service.
The 'domain mqm' group should be added to the local mqm group, but if you've given it a different name, this won't work, so check that the domain level group for mq is in the local mqm group, and add it if it is missing.
You may need to restart your machine for everything to work properly because of how group memberships are discovered, so if things don't work immediately, try rebooting before giving up.
If your machine can't see the domain properly though (as is perhaps indicated by the unexpected response to the net user command) you need to resolve that issue first.
Original Message:
Sent: Tue June 08, 2021 04:38 AM
From: Brajendra Kumar
Subject: AMQ8101S: IBM MQ error (80F) has occurred MQ
Hi Neil ,
thank you very much for ur kind help.I have followed method one and create one Domain and made member of users .As per my understanding of error log.
MQ is making a call to the Operating System to get the groups that the hjuser is a member but never receives a response from the function call. . If groups can not be obtained then MQ will not be able to work properly. The only reason that queue manager PWADC9JMPLB01_QM was running before was because the MQ user configured in the IBM MQ service was the local MUSR_MQADMIN account.
.
17:01:59.512586 13352.1 CONN:000002 Specified entity name is not a group
17:01:59.512617 13352.1 CONN:000002 --------------{ zfu_as_UserGetGroups
17:01:59.512627 13352.1 CONN:000002 wszQualifiedName -> bdx\hjuser
17:02:11.649512 13352.1 CONN:000002 !! - Using local groups only
17:02:11.649541 13352.1 CONN:000002 --------------} zfu_as_UserGetGroups (rc=OK)
17:02:11.649548 13352.1 CONN:000002 !! - Server busy/resource related error
17:02:11.649553 13352.1 CONN:000002 --------------{ xcsSleep
17:02:12.664645 13352.1 CONN:000002 --------------} xcsSleep (rc=OK)
17:02:12.664673 13352.1 CONN:000002 --------------{ zfu_as_UserGetGroups
17:02:12.664686 13352.1 CONN:000002 wszQualifiedName -> bdx\hjuser
17:02:25.433010 13352.1 CONN:000002 !! - Using local groups only
17:02:25.433036 13352.1 CONN:000002 --------------} zfu_as_UserGetGroups (rc=OK)
17:02:25.433042 13352.1 CONN:000002 !! - Server busy/resource related error
17:02:36.729353 13352.1 CONN:000002 -------------}! zfu_as_GetGroupSidList (rc=krcE_UNEXPECTED_ERROR)
17:02:36.729360 13352.1 CONN:000002 ------------}! zfu_as_CalculateAuthority (rc=krcE_UNEXPECTED_ERROR)
17:02:36.729367 13352.1 CONN:000002 -----------}! zfu_as_CheckObjectAuthority (rc=MQRC_SERVICE_ERROR)
17:02:36.729377 13352.1 CONN:000002 -----------{ zapInquireStatus
17:02:36.729382 13352.1 CONN:000002 -----------} zapInquireStatus (rc=OK)
17:02:36.729388 13352.1 CONN:000002 -----------{ zfp_ss_unlock_service
17:02:36.729393 13352.1 CONN:000002 -----------} zfp_ss_unlock_service (rc=OK)
17:02:36.729398 13352.1 CONN:000002 ----------}! gpiCheckObjectAuthority (rc=lrcE_SECURITY_ERROR)
17:02:36.729408 13352.1 CONN:000002 ---------}! kqiAuthorityChecks (rc=lrcE_SECURITY_ERROR)
17:02:36.729423 13352.1 CONN:000002 !! - Returning an error to the AI Layer: CompCode 2 Reason 80f (rc 545261583)MQRC_SECURITY_ERROR
C:\Users\HjUser>NET USER HjUser /domain
The request will be processed at a domain controller for domain
na.ad.crbard.com.
The user name could not be found.
More help is available by typing NET HELPMSG 2221.
C:\Users\HjUser>net user MUSR_MQADMIN
User name MUSR_MQADMIN
Full Name MUSR_MQADMIN
Comment IBM MQ Administrator
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/25/2021 5:21:24 AM
Password expires Never
Password changeable 1/26/2021 5:21:24 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 6/7/2021 7:08:59 AM
Logon hours allowed All
Local Group Memberships *Administrators *mqm
Global Group memberships *None
The command completed successfully.
Please suggest me what i have to do further.so i can resolve my problem.
thanks and Regards
Brajendra
------------------------------
Brajendra Kumar
Original Message:
Sent: Fri June 04, 2021 03:58 AM
From: Neil Casey
Subject: AMQ8101S: IBM MQ error (80F) has occurred MQ
Hello Brajendra
I have seen this sort of error many times on Windows when MQ is set up to run with a local SYSTEM account (or with MUSR_MQADMIN) on a Windows domain.
That configuration isn't really supported, because of the way that Windows domain security works.
When the queue manager tries to find out information about the user, the user is a domain user, so it has to send the request to the domain. But the user running the queue manager service ISN'T a domain user, and so doesn't have the permissions needed to query the domain for that information.
So even though your domain account is a member of the local mqm group, MQ can't work that out because it can't properly determine whether your domain account is valid.
There are two approaches you can take to resolve this issue. Method 1 is the proper way, and will work well and keep working well.
Method 2 is a workaround that will continue to lead to pain (although will still work).
1. Follow the instructions in the manual to create a new special domain account for the mqm service to use. Also create a domain mqm group, and make the special service account a member of domain mqm. Run the MQ setup wizard and specify that MQ is running in a domain, and provide the name and password of the special mqm service account. This is documented in https://www.ibm.com/docs/en/ibm-mq/9.2?topic=mq-creating-setting-up-windows-domain-accounts and https://www.ibm.com/docs/en/ibm-mq/9.2?topic=mq-configuring-prepare-wizard
2. Keep using the local SYSTEM account for the MQ service. Create a local account for yourself on the Windows system (not a domain account) and make it a member of the mqm group on the server. When you want to run MQ, start the process by right-clicking on the icon and selecting run as ... . Provide the local account userid and password so that the MQ Explorer, CMD.EXE or whatever runs as the local account instead of your domain account. Things accessing MQ should now work. Note: Any application program using server bindings will also need to run with a local account, not a domain account. You can see why this can get painful, and is not as good a solution as option 1.
I have seen (and used) option 2 at sites where domain admins would not create the needed groups and accounts, but we needed to run local queue managers for development. For production workloads on Windows, make sure that you get proper domain groups and users built and use those.
Regards,
------------------------------
Neil Casey
Senior Consultant
Syntegrity Solutions
IBM Champion (Cloud) 2019-21
Original Message:
Sent: Thu June 03, 2021 03:35 PM
From: Brajendra Kumar
Subject: AMQ8101S: IBM MQ error (80F) has occurred MQ
I'm having issues running MQ admin commands with a domain user, MQ Service is running under Local System and the domain user is a member of the groups, "Administrators" and "mqm". Appreciate if anyone can help.
I've installed MQ V9.2.1.0 and i was able to create queue manager start stop use runmqsc command .Today i am creating a queue manager .i am not able to create and got below error :
AMQ8101S: IBM MQ error (80F) has occurred MQ.
6/3/2021 13:11:03 - Process(13648.1) User(HJUser) Program(CRTMQM.EXE) --today log -- old log is bottom of the page
Host(PWADC9JMPLB01) Installation(Installation1)
VRMF(9.2.1.0)
Time(2021-06-03T17:11:03.404Z)
ArithInsert1(13648)
CommentInsert1(Testpoc)
AMQ6184W: An internal IBM MQ error has occurred on queue manager Testpoc.
/3/2021 07:33:09 - Process(19040.1) User(HJUser) Program(crtmqm.exe)
Host(PWADC9JMPLB01) Installation(Installation1)
VRMF(9.2.1.0)
Time(2021-06-03T11:33:09.164Z)
ArithInsert1(545261583)
CommentInsert1(The local or domain user this IBM MQ command is running under is not authorized, if running as domain user then please ensure this user has all appropriate privileges on domain controller such as query group membership)
AMQ6125E: An internal IBM MQ error has occurred.
EXPLANATION:
An internal error has occurred with identifier 2080080F. This message is
issued in association with other messages
Old log :
4/29/2021 11:17:09 - Process(6024.1) User(HJUser) Program(CRTMQM.EXE)
Host(PWADC9JMPLB01) Installation(Installation1)
VRMF(9.2.1.0)
Time(2021-04-29T15:17:09.586Z)
CommentInsert3(TEST)
AMQ8001I: IBM MQ queue manager created.
EXPLANATION:
IBM MQ queue manager TEST created.
ACTION:
None.
Please advice me what i have to do to resolve the issue.
------------------------------
Brajendra Kumar
------------------------------