Share via

Using Message Queuing over DCOM

  • Article

 

Applies To: Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server Technical Preview, Windows Vista

Distributed COM (DCOM) provides a way for a computer that does not have Message Queuing installed (a DCOM client) to run applications that create and use Message Queuing COM objects on a remote Message Queuing independent client or Message Queuing server (a DCOM server).

Client applications must create the Message Queuing COM objects on the DCOM server using CreateObject and not in Dim statements containing the New keyword except when messages are received asynchronously (For more information, see Receiving Messages Asynchronously in this topic), and they must pass all parameters to Message Queuing COM object methods as Variants.

There are two ways to specify the name of a specific Message Queuing computer that will serve as the DCOM server:

  • You can specify the server's name inside the client's code whenever you create an instance of a Message Queuing COM object on the server. For example, the following code fragment, which can be run on a DCOM client, declares an object variable and creates an MSMQQueueInfo object on the specified remote Message Queuing computer, exposing the properties and methods of this object to the DCOM client:

    Dim qinfo As Object  
Set qinfo = CreateObject("MSMQ.MSMQQueueInfo", "MyServer.MyDomain.com")

    After the object is created, you can use the name of the object variable to refer to the MSMQQueueInfo object in the client application.

  • You can configure the DCOM client to always use a specific Message Queuing computer, which is referred to as a Message Queuing supporting server, for all Message Queuing applications by performing the following steps on the client side after logging on to the client computer as a local administrator:

  1. Open Component Services. To open Component Services, click Start, click Run, type dcomcnfg.exe, and press Enter.

  2. In the console tree (the left-hand pane), expand Component Services, expand Computers, expand My Computer, expand DCOM Config, right-click MSMQ, and click Properties.

  3. In the MSMQ Properties dialog box, click the Location tab, select Run application on the following computer, type the name of the supporting server, and click OK.

Configuring the DCOM Server

On the server side, the following three options can be selected on the Identity page of the MSMQ Properties dialog box (for opening the MSMQ Properties dialog box, see the preceding steps) for setting the security context under which the server-side Message Queuing process will run:

  • The launching user (the default)

    When this option is selected, the DCOM server impersonates the user who launches the Message Queuing application on the DCOM client, but is not able to delegate the user's credentials. This means, for example, that the client application will not be allowed to create a remote queue on a third computer using COM objects created on the DCOM server.

    No user needs to log on to the DCOM server; however, to allow a domain user without administrative privileges to run Message Queuing applications on the client computer, you need to grant the Launch permission on the DCOM server to domain users who will log on to the client computer and run Message Queuing applications. To configure the launch permissions, click the Security tab, and then under Launch Permissions, select Customize and click Edit. In the Launch Permission dialog box, add the users who will launch Message Queuing client applications and grant them the Launch permission.

    A domain user who has the Launch permission on the server can log on to the client computer and run any Message Queuing application that conforms to the following restrictions:

    • No asynchronous receive operations are invoked.

    • Public queues hosted on the DCOM server are opened using only direct format names. Private queues hosted on the DOCM server can be opened using either a format name or the path name.

    • Remote queues hosted on a third computer are opened for sending messages using only direct format names. A remote queue hosted on a third computer can be opened for receiving messages only if members of the Everyone group have been granted the Receive Message permission for the queue.

    • No queries are made to Active Directory Domain Services (AD DS).

  • The interactive user

    When this option is selected, client applications run under the identity of the user who is currently logged on to the DCOM server.

    This option is not recommended for security reasons because there is a possibility of an elevation of privilege. Under this option, a user must be logged on to the DCOM server and the security credentials of this user, who may be a privileged user, are used to authenticate the client application for accessing resources.

  • This user

    When this option is selected, any client application that creates Message Queuing COM objects on the server runs under the identity of the user account specified, whose security credentials are used to authenticate the client application for accessing resources in the domain.

    Use this option when you want to delegate the client credentials, or when the client application receives messages asynchronously. Specify a user (and password) who will run all Message Queuing client applications on behalf of all clients. Because access checks are made in the context of the user specified, all relevant queues used by all clients must grant the relevant permissions to the user specified. The only way to limit client access is by setting the launch and access permissions in Component Services.

    When the This user option is selected, the following steps must be performed on the DCOM server:

  1. Type the name of a local or domain user (and a password).

  2. Click the Security tab, and then under Launch Permissions, select Customize and click Edit. In the Launch Permission dialog box, add the domain users who will launch Message Queuing client applications, grant them the Launch permission, and click OK.

  3. Under Access Permissions, select Customize and click Edit. In the Access Permission dialog box, add the user specified under This user and the domain users who will run Message Queuing client applications, grant these users the Access Permission permission, and click OK.

  4. If messages will be authenticated using the This user option, log on to the server once as the user specified under This user and register a Message Queuing internal certificate.

Note

After you configure DCOM on the server, you do not need to reboot the computer, but sometimes it may be necessary to restart the process that handles DCOM (the default process is Dllhost.exe).

Receiving Messages Asynchronously

On the server side, the This user option must be selected on the Identity page of the MSMQ Properties dialog box, and the four preceding steps must be performed.

On the client side, there are two requirements that must be satisfied to receive messages asynchronously:

The client application must enable the client computer to receive notifications of events fired on the DCOM server using the MSMQEvent object. The MSMQEvent object is declared in a statement like the following:

Dim WithEvents qevent As MSMQEvent

This is possible only if the type library (the Mqoa.tlb file) is registered on the client computer (as it is by default).

The server-side Message Queuing process must be allowed to call back into the client process. This can be accomplished by changing the default access to all COM processes or by granting access only to a specific Message Queuing client process (safer).

To change the default access to all COM processes, log on to the DCOM client as a local administrator and perform the following steps:

  1. Open Component Services.

  2. In the console tree (the left-hand pane), expand Component Services, expand Computers, right-click My Computer, and click Properties.

  3. In the My Computer Properties dialog box, click the Default COM Security tab.

  4. Under Access Permissions, click Edit Default. In the Access Permission dialog box, add the user specified under This user on the Identity page of the MSMQ Properties dialog box on the DCOM server (the user who runs the Message Queuing stub on the server side), grant this user the Access Permission permission, and click OK.

To grant access to a specific Message Queuing client process, log on to the DCOM client as a local administrator, map an application identifier (a GUID) to the corresponding executable, and set its security by performing the following steps:

  1. Use Regedit.exe to create an AppID registry key with the name of the executable under the HKLM\SOFTWARE\Classes\AppID registry key and set its AppID value to the application identifier chosen for the application. Do not set the AuthenticationLevel value or any of the other named values.

  2. Open Component Services.

  3. In the console tree (the left-hand pane), expand Component Services, expand Computers, expand My Computer, expand DCOM Config, right-click the name of the executable, and click Properties.

  4. In the Properties dialog box, click the Security tab.

  5. Under Access Permissions, select Customize and click Edit. In the Access Permission dialog box, add the user specified under This user on the Identity page of the MSMQ Properties dialog box on the DCOM server (the user who runs the Message Queuing stub on the server side), grant this user the Access Permission permission, and click OK.