Search code examples
wcfmsmqmsmqintegrationbinding

msmq authentication slows encryption


When sending an encrypted msmq message it seems like the authentication bogs down the speed (from 2500 msg/sec to 150 msgs/sec).

This seems to be the case for both System.Messaging.MessageQueue and the Wcf client with msmqIntegration binding.

My requirement is for encrypted transport, I can do without authentication. I would prefer the WCF client since settings can be changed from app.config.

Is there a way for the msmqIntegrationBinding to do transport encryption without authentication ?

    <msmqIntegrationBinding>
        <binding name="VisionAirMessagingBinding"
            timeToLive="12:00:00"
            maxReceivedMessageSize="4100000"
            receiveErrorHandling="Move"
            retryCycleDelay="00:30:00"
            useMsmqTracing="false"
            serializationFormat="Stream">
            <security mode="Transport">
                <transport msmqAuthenticationMode="WindowsDomain"
                    msmqEncryptionAlgorithm="RC4Stream"
                    msmqProtectionLevel="EncryptAndSign"
                    msmqSecureHashAlgorithm="Sha1"/>
                    </security>
                </binding>

I found out that authentication slows me down by commenting out the following when using the System.

q1.Send(new Message 
{
    BodyStream = new MemoryStream(
        Encoding.ASCII.GetBytes("ABCDEFGHIJKLMNOPQRSTUVXYZ")),
        Label = i.ToString(),
        //UseAuthentication = true,
        UseEncryption = true
}, msmqTx);

If I switch on the authentication, sendings becomes slow again!

Thx for any help!


Solution

  • WindowsDomain authentication means Kerberos authentication. It is necessarily a multiple agent protocol (using something like 4+ different messages being sent). Since you are using the blocking .Send() method. This is going to limit your rate (due to multiple latency paths), if you do not throw in some asynchronicity/concurrency.

    You might find that switching to simple Certificate authentication will suffice.

    The result is that the server will be executing the message without the user's credentials, but will be authenticated (you know who sent the message, but you can't elevate to the that user's permissions).