188.8.131.52.12 Inserting a Message into Its Destination Queue
The protocol MUST perform an access check to authorize access to the queue that is addressed by SRMPMessage.DestinationQueueFormatName, using the following logic:
The protocol MUST declare the destinationQueue variable and set it equal to the Queue specified by SRMPMessage.DestinationQueueFormatName.
The protocol MUST declare the queueSecurityDescriptor variable and set it equal to destinationQueue.Security.
If destinationQueue.QueueType = Public, the destinationQueue security descriptor MUST be queried from the directory by raising a Read Directory ([MS-MQDMPR] section 184.108.40.206.20) event with the following arguments:
iFilter: "Identifier" EQUALS destinationQueue.Identifier
If the query returns an rStatus value that is not equal to DirectoryOperationResult.Success, the protocol MUST disregard the message and perform no further processing.
The protocol MUST set queueSecurityDescriptor equal to rDirectoryObject.Security.
The protocol MUST declare the userSID variable and set it to the well-known SID with string representation S-1-1-0 (relative identifier SECURITY_WORLD_RID combined with identifier authority SECURITY_WORLD_SID_AUTHORITY).
Token: Perform the following actions to generate a token to represent the sender's authorization data. If any failure occurs in these actions, the protocol MUST continue as if access_denied is returned from the Access Check Algorithm.
Invoke the LsarOpenPolicy (Opnum 6) method ([MS-LSAT] section 220.127.116.11) to obtain a policy handle with the DesiredAccess parameter set to POLICY_LOOKUP_NAMES.
Invoke the LsarLookupSids (Opnum 15) method ([MS-LSAT] section 18.104.22.168) to obtain the account name of the message sender with the following parameters:
PolicyHandle: the policy handle obtained in the preceding step.
SidEnumBuffer: contains one SID, which is userSID.
ReferencedDomains: a pointer to a PLSAPR_REFERENCED_DOMAIN_LIST structure ([MS-LSAT] section 2.2.12).
TranslatedNames: a pointer to a PLSAPR_TRANSLATED_NAMES structure ([MS-LSAT] section 2.2.20). The sender's account name is placed in this parameter on successful return from LsarLookupSids.
MappedCount: A pointer to an unsigned long integer.
Invoke the LsarClose (Opnum 0) method ([MS-LSAT] section 22.214.171.124) to close the policy handle.
Create a token and populate its Sids field with the SIDs of the user, the user's primary group and other groups contained in the PAC ([MS-PAC] section 2.5). The KERB_VALIDATION_INFO.LogonDomainId is used to construct the SIDs from relative identifiers.
Object Tree: NULL
PrincipalSelfSubst SID: NULL
If the Access Check Algorithm does not return success, the protocol MUST disregard the message and perform no further processing.
The protocol MUST insert a message into its destination queue by generating the Enqueue Message ([MS-MQDMPR] section 126.96.36.199.9) event with the following arguments:
iQueue: A reference to the Queue ADM element instance that is addressed by SRMPMessage.DestinationQueueFormatName.
iMessage: A reference to the SRMPMessage element.
If rStatus returned by the Enqueue Message event is not zero:
If rStatus is 1, indicating that the Quota ADM attribute of the Queue ADM element instance referenced by iQueue would be exceeded, the protocol MUST disregard the message.
If rStatus is 2, indicating that the QueueManagerQuota ADM attribute of the local QueueManager ADM element instance would be exceeded, the protocol MUST disregard the message and return the "HTTP 500 Internal Server Error" error message to the sender.