WCF/MSMQ Transport Security with Certificates

Question

Hi there, my goal is to secure the communication between MSMQ Queue Managers – I don’t want unknown clients sending messages to my MSMQ server.

I have spent many hours now trying to get Transport security working for the net.msmq binding in WCF, where MSMQ is in Workgroup mode and the client and server do not have Active Directory… so I’m using certificates. I have created a new X.509 certificate, called Kristan and put it into the “Trusted people” store on the server and into the My store of Current User of the client.

The error I’m getting is: An error occurred while sending to the queue: Unrecognized error -1072824272 (0xc00e0030).Ensure that MSMQ is installed and running. If you are sending to a local queue, ensure the queue exists with the required access mode and authorization.

Using smartsniff, I see that there’s no attempted connection with the remote MSMQ, however, it’s an error probably coming from the local queue manager. The stack trace is:

 at System.ServiceModel.Channels.MsmqOutputChannel.OnSend(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.OutputChannel.Send(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.OutputChannelBinder.Send(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

The code:-

EndpointAddress endpointAddress = new EndpointAddress(new Uri(endPointAddress));

            NetMsmqBinding clientBinding = new NetMsmqBinding();
            clientBinding.Security.Mode = NetMsmqSecurityMode.Transport;

            clientBinding.Security.Transport.MsmqAuthenticationMode = MsmqAuthenticationMode.Certificate;
            clientBinding.Security.Transport.MsmqProtectionLevel = System.Net.Security.ProtectionLevel.Sign; 

            clientBinding.ExactlyOnce = false;
            clientBinding.UseActiveDirectory = false; 

            // start new
            var channelFactory = new ChannelFactory<IAsyncImportApi>(clientBinding, endpointAddress);


            channelFactory.Credentials.ClientCertificate.SetCertificate("CN=Kristan",
                StoreLocation.CurrentUser,
                StoreName.My);

The queue is flagged as ‘Authenticated’ on the server. I have checked the effect of this and if I turn off all security in the client send, then I get ‘Signature is invalid’ – which is understandable and shows that it’s definitely looking for a sig.

Are there are special ports that I need to check are open for cert-based msmq auth?

thanks Kris

Answer 1

Have a look at http://www.controlsystemworks.com/articles/CertificateSecurityForWcfOverMsmq.html

I think you need to set-up both client and server cerificates.

Kind Regards

Alex

Answer 2

I have the same problem and could not figure this out. However, I get slightly different error message (0xc00e002c) but situation is the same - trying to use Transport security with Certificate but it simply does not work. If I use the same certificate for message security it works fine.

By the way - if i impersonate ASPNET process to run as current user (which has more rights) everything works as expected (no errors). I have also found certificate file and added the same all possible permissions to ASPNET account but that does not help either.