How Message Queuing Authenticates Messages
Applies To: Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server Technical Preview, Windows Vista
Message Queuing authenticates messages at the request of the sending application. When the sending application indicates that a message is to be authenticated by setting its authentication level (PROPID_M_AUTH_LEVEL or MSMQMessage.AuthLevel), the Message Queuing runtime on the sender's computer attaches the user's SID in the sender identifier property (PROPID_M_SENDERID or MSMQMessage.SenderId) and performs the following additional tasks:
Retrieves the applicable certificate.
By default, the Message Queuing runtime retrieves the internal certificate. However, it uses an external certificate if one is provided in the sender certificate property (PROPID_M_SENDER_CERT or MSMQMessage.SenderCertificate) of the message.
Alternatively, the sending application can request Message Queuing to cache a specific internal or external certificate, the corresponding private key, and other security information in a security context structure, and then provide the handle to this structure in the security context property (PROPID_M_SECURITY_CONTEXT) of the message or store it internally in an MSMQMessage object that has been initialized by running the MSMQMessage.AttachCurrentSecurityContext2 method.
Obtains the private signing key for the certificate used.
For internal certificates, Message Queuing locates the private key internally.
For external certificates, Message Queuing searches for the private key in the Internet Explorer personal certificate store. (This is why the external certificate must be registered in the Internet Explorer personal certificate store.)
When a handle to a security context structure is specified, Message Queuing uses the private key in the structure.
The hash value is based on a specific set of message properties. For a description of what properties are used, see Digital Signatures.
Encrypts the hash value using the private key. This is the digital signature that will be attached to the message.
Attaches the certificate and the digital signature to the message and sends the message on to the destination queue manager.
When the destination queue manager receives the message, it performs the following tasks:
Computes the hash value of the message by means of the hashing algorithm specified in PROPID_M_HASH_ALG or MSMQMessage.HashAlgorithm from the same set of message properties that was used to compute the hash value on the source computer. For a description of what properties are used, see Digital Signatures.
Extracts the public key from the certificate.
Decrypts the digital signature by means of the public key, obtaining the hash value sent with the message.
Compares the hash value computed from the fixed set of message properties to the hash value decoded from the digital signature.
|If the hash values are||The destination queue manager|
|The same and the sender identifier is attached to the message||Verifies who sent the message (see the next bullet) and that the access rights for placing messages in the destination queue are allowed for the sender.|
|The same and the sender identifier is not attached to the message||Only verifies that the access rights for placing messages in the destination queue are allowed for the Everyone group (skip the next bullet).|
|The hash values are not the same||Discards the message, and a negative acknowledgment is returned to the sending application if such an acknowledgment was requested.|
To verify who sent the message, the destination queue manager uses the digest of the certificate to locate the certificate in the directory service and retrieve the SID of the user who registered the certificate. It then compares this identifier with the SID attached to the message in the sender identifier property (PROPID_M_SENDERID or MSMQMessage.SenderId).
If they are the same, the SID in the message is valid, and the destination queue manager then verifies that the access rights for placing messages in the destination queue are allowed for any user with the privileges and permissions of the user who registered the certificate.
If they are not the same, the message is discarded and a negative acknowledgment is returned to the sending application if such an acknowledgment was requested.
Message Queuing cannot authenticate the sender of a message sent over HTTP/HTTPS or to a multicast address (an SRMP message) because the sender identifier is not conveyed in SRMP messages.
To verify that the access rights for placing messages in the destination queue are allowed for the sender, the destination queue manager compares the sender identifier attached to the message with the SIDs in the access control entries (ACEs) in the discretionary access control list (DACL) of the queue. If the sender's SID was not sent with the message, the sending application did not want to validate who sent the message and the queue must allow all members of the Everyone group send access to the queue.
If the send access right is allowed for the sender, the destination queue manager authenticates the message.
If the sending application does not have sufficient permissions to send messages to the queue, the message is discarded, and a negative acknowledgment is returned to the sending application if such an acknowledgment was requested.
To indicate that the message has been authenticated, the destination queue manager sets the authenticated property (PROPID_M_AUTHENTICATED, PROPID_M_AUTHENTICATED_EX or MSMQMessage.IsAuthenticated, MSMQMessage.ReceivedAuthenticationLevel) of the message, inserts the message in its destination queue, and returns a positive acknowledgment to the sending application if such an acknowledgment was requested.
Message Queuing does not validate external certificates. The receiving application can perform any validation requirements on the certificate before using an authenticated message. Message Queuing generates the digital signature of a message when it is sent and verifies the digital signature before the message is placed in the destination queue, but does not validate the certificate itself.
|For information on||See|
|User Certificates||Message Authentication|
|Registering a certificate programmatically or manually||Registering a Certificate|
|For an example of||See|
|Requesting authentication using an internal certificate||C/C++ Code Example: Requesting Authentication Using an Internal Certificate
Visual Basic Code Example: Requesting Authentication Using an Internal Certificate
|Requesting authentication using an external certificate||C/C++ Code Example: Requesting Authentication Using an External Certificate
Visual Basic Code Example: Requesting Authentication Using an External Certificate
|Validating authentication||C/C++ Code Example: Validating Authentication
Visual Basic Code Example: Validating Authentication