IBM MQ v8 .NET authentication using Windows user rather than USER_ID_PROPERTY

Question

No matter what I do when I try to connect (to write to) an IBM WebSphere MQ v8 it always errors out (2035 unauthorized) as MQQueueManager connection looks to be using the user the service of the application is running on (Windows x64 server 2012) rather than the MQC.PASSWORD_PROPERTY that I have setup in the hash table.

The MQ is the same version as my libraries (v8) and has ADOPTCTX(YES) and we have performed REFRESH SECURITY TYPE(CONNAUTH). Setting up my hashtable as follows for properties:

MQ_PROPERTIES = New Hashtable()
MQ_PROPERTIES.Add(MQC.HOST_NAME_PROPERTY, MQ_HOSTNAME)
MQ_PROPERTIES.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_MANAGED)
MQ_PROPERTIES.Add(MQC.PORT_PROPERTY, MQ_PORT)
MQ_PROPERTIES.Add(MQC.CHANNEL_PROPERTY, MQ_CHANNEL_NAME)
MQ_PROPERTIES.Add(MQC.USER_ID_PROPERTY, MQ_USERNAME)
MQ_PROPERTIES.Add(MQC.PASSWORD_PROPERTY, MQ_PASSWORD)
MQ_PROPERTIES.Add(MQC.USE_MQCSP_AUTHENTICATION_PROPERTY, True)

With starting it as:

Using queueManager As New MQQueueManager(MQ_QUEUE_MANAGER, MQ_PROPERTIES)

Edit/Update:

{windows app user} = the account that the service of the app is running as.

dlls all v 8.0.0.4

Error in mq log (don't have direct access but as supplied):

  AMQ9557: Queue Manager User ID initialization failed for '{windows app user}'.           

EXPLANATION:                                                                    

  Cause . . . . . :   The call to initialize the User ID '{windows app user}' failed     
with CompCode 2 and Reason 2035.                                                
  Recovery  . . . :   Correct the error and try again.                          

----- cmqxrsrv.c : 2356 ------------------------------------------------------- 
 ************End of Data********************   

---

CONNAUTH was set to SYSTEM.DEFAULT.AUTHINFO.IDPWLDAP. Settings for both IDPWLDAP and IDPWOS were as follows:

      5 : dis AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWLDAP)       
 AMQ8566: Display authentication information details.          
    AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWLDAP)                 
    AUTHTYPE(IDPWLDAP)                      ADOPTCTX(YES)      
    DESCR( )                                CONNAME( )         
    CHCKCLNT(REQUIRED)                      CHCKLOCL(OPTIONAL) 
    CLASSUSR( )                             FAILDLAY(1)        
    BASEDNU( )                              LDAPUSER( )        
    LDAPPWD( )                              SHORTUSR( )        
    USRFIELD( )                             SECCOMM(NO)        
    ALTDATE(2017-10-20)                     ALTTIME(16.38.55)  

       2 : dis AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)        
  AMQ8566: Display authentication information details.         
     AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)                  
     AUTHTYPE(IDPWOS)                        ADOPTCTX(YES)     
     DESCR( )                                CHCKCLNT(OPTIONAL)
    CHCKLOCL(OPTIONAL)                      FAILDLAY(1)       
     ALTDATE(2017-10-23)                     ALTTIME(13.50.20)

Answer 1

AUTHINFO object that you are referencing has AUTHTYPE(IDPWLDAP), but you do not have any of the required fields like CONNAME, BASEDNU, etc. Double check the queue manager's CONNAUTH setting to make sure you are viewing the right AUTHINFO object, you can do this with the command DIS QMGR CONNAUTH. Whatever value is displayed in the queue manager's CONNAUTH field is the name of the AUTHINFO object you should be viewing.

If you want to use AUTHTYPE(IDPWLDAP) you need to configure it to point to a LDAP server with the required values. If you want it to use Windows OS authentication, then you would use AUTHTYPE(IDPWOS).

Per an update from the OP (Hub3rt), the queue manager's CONNAUTH setting was incorrectly pointing to SYSTEM.DEFAULT.AUTHINFO.IDPWLDAP and after updating the queue manager's CONNAUTH setting to point to SYSTEM.DEFAULT.AUTHINFO.IDPWOS with ADOPTCTX(YES) authentication was successful.