Need help regarding WCF web service with MQ interaction
I have created a simple WCF web service to write some messages into MQ (Websphere MQ).It was hosted in IIS 6.0 server. Service stated successfully, but while writing the message into MQ it was throwing a exception with reason code 2063.
Is there any way to override the run-on user(in code) for 开发者_运维问答web service ?
Thank you in advance..
The reason code 2063 0x0000080f MQRC_SECURITY_ERROR
refers to something external to WMQ. For example, if configuration files are not accessible to the application, if the keystore password is incorrect or if the QMgr or application are unable to access domain resources.
When accessing WMQ using one of a Windows server's administrator accounts, the account resolves on the local host and there is no need for WMQ to query the domain. However when accessing WMQ with a domain account it is necessary for the QMgr to query the domain to get the groups that the account requesting a connection is a member of. For this reason, it is common for a running QMgr to appear healthy for administrators but to fail when accessed from a domain account.
One way to test if this is the issue is to make sure that the access resolves with a local account. In this example, I'll assume the QMgr is running as MUSR_MQADMIN
- the default account for Windows. I'll also assume the server name is bigserver
. The following test isolates the problem to either the QMgr or the application.
If it is not already doing so, make the application connect in client mode. Alter the client channel used by the application with MCAUSER('MUSR_MQADMIN@bigserver')
(substitute your own service account and server name) and attempt to reconnect. If you get another 2063 then the error is in the client app configuration. If you get connected then the QMgr needs to b granted rights to query the domain. There is a whole section in the manual which explains to domain admins what exactly is required. If this is the problem, please point your domain admin here.
Please do NOT leave the channel set up like this. Anyone who can access it will be a WMQ administrator! Instead, once you get it working, place the application's service account in the MCAUSER field and use setmqaut to authorize it appropriately.
精彩评论