Hi there, my goal is to secure the communication between MSMQ Queue Managers – I don’t want unknown clients sending messages to my MSMQ server.
I have spent many hours now trying to get Transport security working for the net.msmq binding in WCF, where MSMQ is in Workgroup mode and the client and server do not have Active Directory… so I’m using certificates. I have created a new X.509 certificate, called Kristan and put it into the “Trusted people” store on the server and into the My store of Current User of the client.
The error I’m getting is: An error occurred while sending to the queue: Unrecognized error -1072824272 (0xc00e0030).Ensure that MSMQ is installed and running. If you are sending to a local queue, ensure the queue exists with the required access mode and authorization.
Using smartsniff, I see that there’s no attempted connection with the remote MSMQ, however, it’s an error probably coming from the local queue manager. The stack trace is:
at System.ServiceModel.Channels.MsmqOutputChannel.OnSend(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.OutputChannel.Send(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.OutputChannelBinder.Send(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
The code:-
EndpointAddress endpointAddress = new EndpointAddress(new Uri(endPointAddress));
NetMsmqBinding clientBinding = new NetMsmqBinding();
clientBinding.Security.Mode = NetMsmqSecurityMode.Transport;
clientBinding.Security.Transport.MsmqAuthenticationMode = MsmqAuthenticationMode.Certificate;
clientBinding.Security.Transport.MsmqProtectionLevel = System.Net.Security.ProtectionLevel.Sign;
clientBinding.ExactlyOnce = false;
clientBinding.UseActiveDirectory = false;
// start new
var channelFactory = new ChannelFactory<IAsyncImportApi>(clientBinding, endpointAddress);
channelFactory.Credentials.ClientCertificate.SetCertificate("CN=Kristan",
StoreLocation.CurrentUser,
StoreName.My);
The queue is flagged as ‘Authenticated’ on the server. I have checked the effect of this and if I turn off all security in the client send, then I get ‘Signature is invalid’ – which is understandable and shows that it’s definitely looking for a sig.
Are there are special ports that I need to check are open for cert-based msmq auth?
thanks Kris