Configure extra authority for Windows applications connecting to IBM MQ

The account under which IBM MQ processes run might need extra authorization before SYNCHRONIZE access to application processes can be granted.

We might experience problems if you have Windows applications, for example ASP pages, connecting to IBM MQ that are configured to run at a security level higher than usual.

IBM MQ requires SYNCHRONIZE access to application processes in order to coordinate certain actions. When a server application first attempts to connect to a queue manager IBM MQ modifies the process to grant SYNCHRONIZE authority for IBM MQ administrators. However, the account under which IBM MQ processes run might need additional authorization before the requested access can be granted.

To configure additional authority to the user ID under which IBM MQ processes are running, complete the following steps:

Procedure

1. Start the Local Security Policy tool, click Security Settings->Local Policies->User Right Assignments, the click Debug Programs.
2. Double-click Debug Programs, then add the IBM MQ user ID to the list

   If the system is in a Windows domain and the effective policy setting is still not set, even though the local policy setting is set, the user ID must be authorized in the same way at domain level, using the Domain Security Policy tool.

Parent topic: Special considerations for security on Windows