Authentication failures in IBM MQ mean the queue manager rejected who you claim to be before—or during—connection establishment. Operations teams hear "cannot connect to MQ" while developers insist the password works on LDAP for other systems. Separately, teams confuse authentication with reason 2035 authorization on MQPUT after a successful connect. This troubleshooting tutorial covers CONNAUTH and AUTHINFO, password and LDAP failures, certificate-based identity, CHLAUTH blocks that look like auth problems, reading AMQERR for authentication service errors, MCAUSER mapping after successful bind, and repeatable triage so you fix the right layer on the first attempt.
Authentication validates credentials or certificates. Authorization checks OAM (or RACF on z/OS) for +put, +get, +connect on objects. A user may authenticate as svc_pay but lack +put on PAYMENT.IN— that is 2035, not authentication failure. A user with wrong LDAP password never reaches the queue test—that is authentication failure on CONNAUTH. Document both paths in runbooks so helpdesk questions the right team.
| Layer | Typical symptom | Check with |
|---|---|---|
| CONNAUTH / LDAP | Client cannot connect | AMQERR, AUTHINFO, LDAP logs |
| CHLAUTH | Channel RETRY, bind denied | DISPLAY CHLAUTH, AMQERR rule name |
| TLS | Handshake failure | SSL trace, LASTCHLERR |
| OAM | 2035 on MQPUT/MQGET | dspmqaut, DISPLAY AUTHREC |
DEFINE AUTHINFO(LDAP.AUTH) AUTHTYPE(IDPWLDAP) with CONNAME pointing to LDAP host, BASEDN, and bind credentials lets the queue manager validate passwords against the directory. Misconfigured BASEDN or attribute names cause binds to fail for all users. IDPWOS uses MQ-managed password store—simpler for lab, rare alone in enterprise production. DISPLAY CONNAUTH shows which AUTHINFO applies and CHCKCLNT(REQDADM) versus OPTIONAL—requiring client authentication affects whether anonymous binds succeed. After LDAP password changes, MQ does not cache indefinitely; lockout policies on LDAP matter for batch jobs using stale passwords.
1234DISPLAY CONNAUTH(*) ALL DISPLAY AUTHINFO(LDAP.AUTH) ALL * Test LDAP from OS ldapsearch if permitted—verify DN and password * Client connect failure: grep AMQERR for authentication, CONNAUTH, LDAP
Channel authentication rules can REQUIRE or BLOCK address ranges, certificate DNs, or queue manager names. A partner upgrading certificates without updating SSLPEER in CHLAUTH fails bind—AMQERR names the rule. ADDRESS rules behind NAT may see concentrator IP—whitelist wrong IP blocks legitimate partners. QMNAME rules block wrong remote queue manager name in cluster or point-to-point setups. Fix the rule or the partner identity; do not disable CHLAUTH globally as a permanent solution.
Successful channel authentication may still map to MCAUSER('mqm') via CHLAUTH MAP rules—overly powerful for application traffic. Applications using SVRCONN may assert a user ID; CONNAUTH and ADOPTCTX settings determine whether that assertion is trusted. Authentication failure at the client may be CONNAUTH; 2035 after connect may be MCAUSER lacking authority—test with dspmqaut -m QM -n queue -t qmgr -p MCAUSER -a +put.
Symptom: nightly job fails connect; AMQERR shows LDAP authentication failure. Fix password in vault, update job credential, verify AUTHINFO bind account not locked.
Symptom: connect works from admin ID but not service account. Compare CONNAUTH requirements; verify service account in LDAP and CHLAUTH if channel uses TLS client cert.
Symptom: RETRY loop, CHLAUTH SSLPEER mismatch. Update SSLPEER or SSLPEERMAP rule to new DN; not a password issue.
Authentication is showing your building badge at the lobby. Authorization is whether your key opens the office door. Authentication failure means security will not give you a badge; 2035 means you have a badge but not a key to that room.
The club checks your name on the list before you enter. If your name is not on the list or you said the wrong secret word, you cannot go in—that is authentication failure. Being inside but not allowed in the kitchen is a different problem.
Lab: wrong LDAP password—capture AMQERR line and classify as auth not OAM.
Same user: connect OK, put fails 2035—document dspmqaut fix.
Write decision tree: connect fail vs 2035 for helpdesk.
1. Authentication answers:
2. 2035 after connect usually is:
3. CONNAUTH IDPWLDAP uses:
4. CHLAUTH can block: