ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » AMQ8074W:Authorization failed as SID doesn't match entity

Post new topic  Reply to topic
 AMQ8074W:Authorization failed as SID doesn't match entity « View previous topic :: View next topic » 
Author Message
dakoroni
PostPosted: Wed Jan 27, 2021 7:57 am    Post subject: AMQ8074W:Authorization failed as SID doesn't match entity Reply with quote

Acolyte

Joined: 10 Jan 2020
Posts: 50

Hello MQ Security Users,

Any advise on the following will be much appreciated:

When I am trying to connect to remote Queue Manager (QM:MQNBGQA) at AD Domain Central from Windows client using IBM MQ Explorer tool,  with Domain userID e63254@CENTRAL or userID e63254@BANK  (Central, Bank are trusted domains), the following error msg prompts on MQ Explorer:
---
Access not permitted. You are not authorized to perform this operation. (AMQ4036)
Severity: 10 (Warning)
Explanation: The queue manager security mechanism has indicated that the userid associated with this request is not authorized to access the object.
---
Looking into the target MQ Server error log, the  following exceptions are listed:
---
27/1/2021 17:17:14 - Process(6876.2 User(MQNBGQA) Program(amqzlaa0.exe)
Host(V000010255) Installation(MQNBGQA)
VRMF(9.1.5.0) QMgr(MQNBGQA)
Time(2021-01-27T15:17:14.486Z)
RemoteHost(10.1.100.155)
CommentInsert1(S-1-5-21-816530017-2240465312-872180193-23427)
CommentInsert2(e63254@centr)

AMQ8074W: Authorization failed as the SID
'S-1-5-21-816530017-2240465312-872180193-23427' does not match the entity 'e63254@centr'.

EXPLANATION:
The Object Authority Manager received inconsistent data - the supplied SID does not match that of the supplied entity information.
ACTION:
Ensure that the application is supplying valid entity and SID information.
------
27/1/2021 17:16:42 - Process(6876.27) User(MQNBGQA) Program(amqzlaa0.exe)
Host(V000010255) Installation(MQNBGQA)
VRMF(9.1.5.0) QMgr(MQNBGQA)
Time(2021-01-27T15:16:42.103Z)
RemoteHost(10.1.100.155)
CommentInsert1(S-1-5-21-783752929-4063248335-57074302-1354159)
CommentInsert2(e63254@bank)

AMQ8074W: Authorization failed as the SID
'S-1-5-21-783752929-4063248335-57074302-1354159' does not match the entity 'e63254@bank'.

EXPLANATION:
The Object Authority Manager received inconsistent data - the supplied SID does not match that of the supplied entity information.
ACTION:
Ensure that the application is supplying valid entity and SID information.
----
Both principals (Domain UIDs) are included in QM access list with proper authroizations and used to access QM objects without any issues  before (previous days).
FYI, there are also channel rules enabled for the principals.
(i.e. SYSTEM.ADMIN.SVRCONN -> ADDRESS MAP FOR E63254@CENTRAL
SYSTEM.AUTO.SVRCONN -> ADDRESS MAP FOR E63254@CENTRAL)

Btw, where this SID entry "e63254@centr"  comes from? 
It seems to me that there might be an SID corruption in OAM..
If this is the case, how the SID can be fixed and be recovered?
What might be the problem? Any workarounds?

Thanks in advance for your time and support,
Cheers Nick. 
Back to top
View user's profile Send private message
gbaddeley
PostPosted: Wed Jan 27, 2021 3:41 pm    Post subject: Re: AMQ8074W:Authorization failed as SID doesn't match entit Reply with quote

Jedi

Joined: 25 Mar 2003
Posts: 2492
Location: Melbourne, Australia

I suspect that the insert value e63254@centr is being truncated to 12 characters for display.
MQ stores SIDs in OAM, it does not store the actual Windows principal user.
Was the user recreated in AD at some stage, and its SID changed?

Refer to https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q013550_.htm
On Windows, from IBM MQ Version 8.0, you can delete the OAM entries corresponding to a particular Windows user account at any time using the -u SID parameter of setmqaut.
_________________
Glenn
Back to top
View user's profile Send private message
dakoroni
PostPosted: Fri Jan 29, 2021 8:02 am    Post subject: AMQ8074W:Authorization failed as SID doesn't match entity Reply with quote

Acolyte

Joined: 10 Jan 2020
Posts: 50

Thanks for your tip.

I have executed the following commands (cmd prompt) on QM: MQNBGQA to verify my SID:
D:\>whoami
central\e63254

D:\>whoami /user
USER INFORMATION
----------------
User Name SID
============== =============================================
central\e63254 S-1-5-21-816530017-2240465312-872180193-23427

Also run setmqaut -u SID to remove "problematic" SID from ΟΑΜ entries:
D:\>setmqaut -m MQNBGQA -t qmgr -u S-1-5-21-816530017-2240465312-872180193-23427 -remove

Then restart the QM and add the e63254@central user again (since it has been removed), but the problem still remains.

FYI, I am capable of accessing other Queue Managers in the CENTRAL domain from the same MQ client, as well as, a test Queue Manager on the same machine, which makes me suspicious about specific Queue Manager's corruption.

I am afraid that I have to delete & restore (via runmqsc) QM: MQNBGQA using the "last known good" mqsc backup (taken via dmpmqcfg).

If there is any other option you can think of, pls let me know.

Cheers Nick.
Back to top
View user's profile Send private message
gbaddeley
PostPosted: Sun Jan 31, 2021 2:20 pm    Post subject: Reply with quote

Jedi

Joined: 25 Mar 2003
Posts: 2492
Location: Melbourne, Australia

I suggest raising a service request with IBM.

MQ trace may also show what MQ was doing in the lead up to the error.
_________________
Glenn
Back to top
View user's profile Send private message
dakoroni
PostPosted: Mon Feb 01, 2021 2:34 am    Post subject: AMQ8074W:Authorization failed as SID doesn't match entity Reply with quote

Acolyte

Joined: 10 Jan 2020
Posts: 50

It seems to me also, that further investigation should be done in the context of PMR ticket.
Thanks for the tip.
Back to top
View user's profile Send private message
kaseidu
PostPosted: Tue Mar 08, 2022 3:29 am    Post subject: Reply with quote

Newbie

Joined: 08 Mar 2022
Posts: 1

Hi.

I think this issue will match with an existing new APAR IT33223. The APAR is still opened and not available on the web.

To confirm the APAR matches, the workaround is to connect without providing the domain name.

IE. e63254@centr -> e63254
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » AMQ8074W:Authorization failed as SID doesn't match entity
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.