Windows security identifiers (SIDs)

IBM® MQ on Windows uses the SID where it is available. If a Windows SID is not supplied with an authorization request, IBM MQ identifies the user based on the user name alone, but this might result in the wrong authority being granted.

On Windows systems, the security identifier (SID) is used to supplement the user ID. The SID contains information that identifies the full user account details on the Windows security account manager (SAM) database where the user is defined. When a message is created on IBM MQ for Windows, IBM MQ stores the SID in the message descriptor. When IBM MQ on Windows performs authorization checks, it uses the SID to query the full information from the SAM database. (The SAM database in which the user is defined must be accessible for this query to succeed.)

By default, if a Windows SID is not supplied with an authorization request, IBM MQ identifies the user based on the user name alone. It does this by searching the security databases in the following order:

The local security database
The security database of the primary domain
The security database of trusted domains

If the user name is not unique, incorrect IBM MQ authority might be granted. To prevent this problem, include an SID in each authorization request; the SID is used by IBM MQ to establish user credentials.

To specify that all authorization requests must include an SID, use regedit. Set the SecurityPolicy to NTSIDsRequired.