MQ

Expand all | Collapse all

Authorizing access to Domain Groups on Windows MQ Server objects

  • 1.  Authorizing access to Domain Groups on Windows MQ Server objects

    Posted Wed October 21, 2020 11:13 AM
    Dear MQ community users, 

    I would appreciate if you could advise on the correct domain group name format in order to grant the proper access to  MQ objects.
    I have a Windows DEV MQ  Server v9.1.5 (host name : V000080117) joined domain NBGIT.
    I need to grant numerous developers that they belong to AD domain groups (such as: NBGIT\Domain Users, NBGIT\Domain Computers) but not on mqm group -since they should not have MQ Admin rights-
    with specific MQ authorities.
    Using IBM MQ explorer, i am capable to grant access to individual domain users IDs(principals) on that MQ Server objects (Queue Manager, Queues, Chasnels), for instance : exxxxx@NBGIT  or fullname@NBGIT,  BUT
    I am not capable of adding domain group in the object access list. 

    For example, I am able to add the mqm group in the (QM) access list -> mqm@V000080117 and
    Users@BUILTIN
    where "Users" is local group on that Windows 2019 Server including NBGIT\Domain Users & NBGIT\Domain Computers. 

    But when trying to add Domain Users@NBGIT in the (QM) access list, I am receiving the error msg: AMQ4808: Unknown Group 'Domain Users@NBGIT'.
    But the domain group name is valid since it exists on Active Driectory..
    In the MQ server error log it appears the AMQ8075W: Authorization failed because the SID for entity 'domain_users@nbgit' cannot be obtained.

    I have read that the correct Group name format is the following:
    GroupName@domain domain_name\group_name
    So, I am very skeptical about  what might be wrong..

    I have read also in IBM MQ 9.2 KnowledgeCenter that "For IBM MQ authorizations, names of user IDs and groups must be no longer than 64 characters (spaces are not allowed)."
    Do you think that spaces in Domain Group names might be the root cause?

    Any advise will be much appreciated.
    Cheers Nick.




    ------------------------------
    NICK DAKORONIAS
    ------------------------------


  • 2.  RE: Authorizing access to Domain Groups on Windows MQ Server objects

    Posted Thu October 22, 2020 12:09 AM

    If Knowledge Center says that spaces are not allowed, then I would imagine that spaces are not allowed.

    Have you tried with a group name that doesn't contain spaces to see what happens in that case?

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 3.  RE: Authorizing access to Domain Groups on Windows MQ Server objects

    Posted Thu October 22, 2020 03:46 AM
    Hi Morag,

    At first, thanks for your response.
    The problem was resolved by updating the qm.ini with security stanza setting -> GroupModel=GlobalGroups, so that OAM checks global groups membership.

    Cheers Nick.

    ------------------------------
    NICK DAKORONIAS
    ------------------------------



  • 4.  RE: Authorizing access to Domain Groups on Windows MQ Server objects

    Posted Thu October 22, 2020 08:16 AM
    Edited by FJ Brandelik Thu October 22, 2020 08:29 AM
    The space cannot be the problem i.e. using "domain mqm" would never work if the space wasn't allowed.
    What I suspect is that the service user doesn't have the required domain authorizations:  read on group membership and group membership SAM... Also make sure you checked the windows specific security stanzas

    ------------------------------
    FJ

    ------------------------------



  • 5.  RE: Authorizing access to Domain Groups on Windows MQ Server objects

    Posted Thu October 22, 2020 09:22 AM
    That's not the case. The MQ Service account has been checked  from the beginning  of our investigation and it was verified that both permissions:
    Read group membership & ReadgroupMembeshipSAM- as per IBM KC article https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.1.0/com.ibm.mq.ins.doc/q008840_.htm  - are already checked.

    Regarding the  spaces in domain spaces it is clealry stated  in the following IBM KC article:
    https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.1.0/com.ibm.mq.ins.doc/q008410_.htm
    For IBM MQ authorizations, names of user IDs and groups must be no longer than 64 characters (spaces are not allowed).

    Besides this,  it is a global (worldwide) practice  NOT to use spaces in AD group names, but instead  (-) or (_)  when needed not only for MQ but for other apps as well. 



    ------------------------------
    NICK DAKORONIAS
    ------------------------------



  • 6.  RE: Authorizing access to Domain Groups on Windows MQ Server objects

    Posted Fri October 23, 2020 01:29 AM
    To be very specific about the link you provided.

    It says nothing about not allowing spaces in the group name, as evidenced also in the recommended set up with group "domain mqm".

    It does specify however that spaces are not allowed in the hostname, and if you happen to have any in your hostname you would not be able to create a queue manager.

    ------------------------------
    FJ
    ------------------------------



  • 7.  RE: Authorizing access to Domain Groups on Windows MQ Server objects

    Posted Fri October 23, 2020 04:59 AM
    MQ dislikes spaces. That's why spaces are not allowed on machine (host) names.
    The same applies to object naming rules ( "Leading or embedded blanks are not allowed.") .
    The same applies to principals (usersIDs) & groups names.
    That's why  MQ installer creates a local user account for the service called MUSR_MQADMIN  (Not a typo -> no spaces)
    with the required settings and permissions, including 
    Logon as a service.
    https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.1.0/com.ibm.mq.sec.doc/q132660_.htm


    This is the reason  that in "Principals and groups on UNIX, Linux, and Windows" article , posted at https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.1.0/com.ibm.mq.sec.doc/q014100_.htm 
    section about Windows ACL , the  Domain group name is depicted  with "_" instead of space. (Not a typo -> no spaces but instead underscore):
    GroupName@domain domain_name\group_name

    Furthermore, the statement i have extracted from the IBM KC URL about security/naming considerations is explicit.
    It doesn't refer on computer name or host name, but instead it refers on MQ user/group names authorization limitations.
    "For IBM MQ authorizations, names of user IDs and groups must be no longer than 64 characters (spaces are not allowed)."

    Regarding the "Domain mqm", this is a special case, since it must be member of local "mqm" group (named without spaces)
    to be leveraged  by OAM (Object Authorization Manager) for both user & group  based authorization at Queue Manager level.

    At last, as I have stated in my previous response, the  MQ service account DOES HAVE the required group permissions for 
    querying group memberships from AD (read on group membership and group membership SAM) so that could NOT be the root cause..

    The only missing part was the security stanza setting -> GroupModel=GlobalGroups in qm.ini file, so that OAM can support Global (security groups).
    https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.1.0/com.ibm.mq.con.doc/q018900_.htm
     




    ------------------------------
    NICK DAKORONIAS
    ------------------------------