WebSphere MQ domain user security
tamekawoody 110000RMF4 Comments (6) Visits (12722)
WebSphere MQ running on a Windows platform can participate in a domain. Sometimes, when participating in a domain, there are domain users who will access WebShere MQ objects (queue managers, queues, channels, etc.). There might be domain user accounts that will manage the objects. If so, then the WebSphere MQ product should be configured so that it will allow domain account access.
Allowing domain account authority is necessary, due to the security imposed. If the WebSphere MQ is configured in DCOM for the default user MUSR_MQADMIN or a local user account, then the id does not have the authority to query the group membership of a domain account. In order to verify a domain account authority, the user id performing the check must have Read Group Membership and/or Read Group MembershipSAM.
If you do not have the proper domain account configuration, you could see the following errors when attempting to access/administer WebSphere MQ:
There are systems that never encounter the error. However, once you see the error, the only resolution is to configure WebSphere MQ accordingly. Please see the links below for additional information on configuring domain accounts: