HTTP/HTTPS Message Authentication

Applies To: Windows Server 2008

Authenticating HTTP/HTTPS messages

When messages sent over HTTP/HTTPS transport are authenticated, the sender attaches an XML digital signature and a user certificate, which contains the user's name, the user's public key, and the signature of the issuer. A user can obtain an external user certificate from a certification authority (CA), such as VeriSign or Microsoft Certificate Services, or use the internal user certificate that is created and registered on the local computer during setup and then first time that a user logs on to the computer. If an external user certificate is used, the user must register that certificate in Active Directory Domain Services in the local forest using the Message Queuing UI.

When messages are sent over HTTPS transport, additional security requirements must be satisfied before an SSL session is established between the sender and the recipient. For more information, see HTTPS Authentication.

When a message requiring authentication is sent within the same forest, the recipient decrypts the digital signature, and tries to locate the user certificate in Active Directory Domain Services according to its GUID. If the user certificate is not found in Active Directory Domain Services, Message Queuing tests the certificate to ascertain whether it is self-signed (an internal user certificate). If it is found in Active Directory Domain Services, the message is inserted into the queue and marked as authenticated. However, if the user certificate is not found in Active Directory Domain Services and it is not self-signed, the sender is regarded as an anonymous user and is allowed to access the destination queue accordingly.

When messages are sent over HTTP/HTTPS transport between different forests, the recipient cannot search for the certificate in Active Directory Domain Services in the sender's forest. To overcome this problem and use the same user certificate to authenticate messages sent between different forests, perform the following steps:

  1. Export the sender's user certificate to a file.

  2. Send the file to the recipient's forest.

  3. In the recipient's forest, create a user to represent the sender or the sender's group.

  4. Import the certificate to the user's personal certificate store.

  5. Log on as the user.

  6. Use the Message Queuing UI to register the certificate in Active Directory Domain Services to the user.

  7. Grant the user permissions to write to Message Queuing queues.

The recipient can now authenticate messages sent between forests by querying Active Directory Domain Services in the local forest as in the case of messages sent over HTTP/HTTPS transport within a single forest.

For information about how to register a user certificate, see Register Certificates for Message Queuing.