MSMQ AD permissions

Question

Hi,

We have a system using two machines to do some processing. Let's call the machine that does the processing PROCESSOR, and the machine giving it items to process SERVER. Both are running Windows Server 2008. We have one Windows Service running on SERVER which needs to use MSMQ to send messages to a public queue PROCESSOR.

On PROCESSOR, we have another Windows Service which pulls items from the queue for processing.

The two machines are in the same domain, and all works fine if we run both services under accounts with domain admin privileges. However, we need the accounts to have the minimum privileges possible (particularly for the service on SERVER).

Before elevating the rights of the account we're using for the service on PROCESSOR, I tried giving it full rights to MSMQ. However, this didn't seem to be enough, and as soon as the service tried to do anything with MSMQ (first thing it does on starting is to check if relevant queues exist), I got an exception saying "Access to Message Queuing is denied".

Does anybody know what permissions need to be granted to an AD account in order for it to be able to use MSMQ?

Thanks,

Andrew

Answer 1

Run your service under a defined system account, like (I believe Network), then set the permissions on the MSMQ to full control for that.

When I've used this in the past I just cheated and allowed access to "Everyone". But in a domain setting the best way is to create a domain user and set that for the service and permissions ont eh MQ.