my goal is to secure the communication between MSMQ
Queue Managers – I don’t want unknown clients sending messages to my MSMQ
server.
I have spent many hours now trying to get Transport
security working for the net.msmq
binding in WCF
, where MSMQ
is in Workgroup
mode and the client and server do not have Active Directory
… so I’m using certificates. I have created a new X.509
certificate, called Kristan
and put it into the “Trusted people
” store on the server and into the My store of Current User
of the client.
The error I’m getting is:
An error occurred while sending to the queue:
Unrecognized error -1072824272 (0xc00e0030).Ensure that MSMQ is installed and running. If you are sending to a local queue, ensure the queue exists with the required access mode and authorization
.
Using smartsniff, I see that there’s no attempted connection with the remote MSMQ
, however, it’s an error probably coming from the local queue manager. The stack trace is:
at System.ServiceModel.Channels.MsmqOutputChannel.OnSend(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.OutputChannel.Send(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.OutputChannelBinder.Send(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
The code:-
EndpointAddress endpointAddress = new EndpointAddress(new Uri(endPointAddress));
NetMsmqBinding clientBinding = new NetMsmqBinding();
clientBinding.Security.Mode = NetMsmqSecurityMode.Transport;
clientBinding.Security.Transport.MsmqAuthenticationMode = MsmqAuthenticationMode.Certificate;
clientBinding.Security.Transport.MsmqProtectionLevel = System.Net.Security.ProtectionLevel.Sign;
clientBinding.ExactlyOnce = false;
clientBinding.UseActiveDirectory = false;
// start new
var channelFactory = new ChannelFactory<IAsyncImportApi>(clientBinding, endpointAddress);
channelFactory.Credentials.ClientCertificate.SetCertificate("CN=Kristan",
StoreLocation.CurrentUser,
StoreName.My);
The queue is flagged as ‘Authenticated’ on the server. I have checked the effect of this and if I turn off all security in the client send, then I get ‘Signature is invalid’ – which is understandable and shows that it’s definitely looking for a sig.
Are there are special ports that I need to check are open for cert-based msmq auth?
Have a look at http://www.controlsystemworks.com/articles/CertificateSecurityForWcfOverMsmq.html
I think you need to set-up both client and server cerificates.