views:

337

answers:

3

My team is on our first attempt at using NServiceBus (v2.0), using MSMQ as the backing storage. We're getting stuck on queue permissions.

We're using it in a Web Forms application, where the user account the website runs under is not an administrator on the machine.

When NServiceBus creates the MSMQ queue, it gives the local administrators group full control, and the local everyone and anonymous groups permissions to send messages.

But then later, as part of initializing the queue, NServiceBus tries to read all of its messages. That's where we run into the permissions error. Since the website isn't running as an administrator, it's not allowed to read messages.

How are other people dealing with this? Do your applications run as administrators? Or do you create the MSMQ queue in your code first, giving it the permissions you need, so that NServiceBus doesn't have to create it? Or is there a bit of configuration we're missing? Or are we likely writing our code that uses NServiceBus incorrectly to be running into this?

A: 

change ownership of the queue, it's the only thing that worked for me in a similar situation

Allen
Do you mean that we should do that programmatically by changing how we use NServiceBus or by hand?
Amy T
+1  A: 

This blog post should help:

http://blogs.msdn.com/johnbreakwell/archive/2009/08/03/default-msmq-queue-permissions-have-changed-in-msmq-4-0.aspx

Especially:

"If you want to set permissions when you create queues, you can always build the desired security descriptor and pass it in the pSecurityDescriptor parameter of MQCreateQueue (http://msdn.microsoft.com/en-us/library/ms701768(VS.85).aspx). You can't, though, customise the defaults as they are hard-coded."

Cheers
John Breakwell (ex-MSFT)

John Breakwell
Interesting. We actually do set our own custom permissions on the queue in some older code where it's our code that creates the queue. Right now, though, the trouble is that we're letting NServiceBus create the queue for us, and I can't find a way to make it create the queues with permissions other than the NServiceBus defaults. I'm starting to lean toward making sure the queue is there with the right permissions before we start trying to use it with NServiceBus.
Amy T
+1  A: 

We create the queues in an Installer subclass and execute it as part of the msi install. Ownership of the queue is a shortcut, but the relevant permissions can be set through AccessControlList:

MessageQueue queue = MessageQueue.Create(queueName, true);
AccessControlList permissions = new AccessControlList();
permissions.Add(new MessageQueueAccessControlEntry(
    new Trustee(this.serviceProcessInstaller.Username),
    MessageQueueAccessRights.FullControl, 
    AccessControlEntryType.Set));
// Add additional permissions for admins & message-sending accounts
queue.SetPermissions(permissions);

I feel the queue auto-creation feature of NServiceBus is better suited for development, not deployment.

Sam
Yes, I ended up hearing something similar over on the NServiceBus group: http://tech.groups.yahoo.com/group/nservicebus/message/7391. Auto-creation of the queue is meant for a development, not production, environment, and we should create the queue ourselves and give it the permissions we need.
Amy T