Message Authentication

 

Applies To: Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server Technical Preview, Windows Vista

Message authentication provides two services. It provides a way to ensure message integrity and a way to verify who sent the message. To request authentication, the sending application must set the authentication level of the message to be authenticated. When authentication is requested, a digital signature and a user certificate are attached to the message in addition to the sender's SID, which is attached to all messages in the sender identifier property (PROPID_M_SENDERID or MSMQMessage.SenderId) by default. An internal certificate generated by Message Queuing or an external certificate supplied by a certification authority can be used. By default, Message Queuing attaches the internal certificate for the user to the message. An external certificate can be attached directly by the sending application, or an internal or external certificate can be attached by Message Queuing at the request of the sending application using a security context structure specified in the message.

Authenticating for message integrity ensures that no one has tampered with the message or changed its content. When authentication is requested, the Message Queuing runtime digitally signs the message when it is sent, and the destination queue manager verifies the digital signature before it places the message in the destination queue. Once message integrity is established, Message Queuing verifies who sent the message.

Note

The Message Queuing runtime uses a private signing key to sign the message digitally. The destination queue manager then uses the associated public signing key in the certificate to verify this digital signature.

By default, Message Queuing also authenticates who sent the message. However, the sending application can disable this type of authentication by requesting Message Queuing not to attach the sender identifier to the message. For Message Queuing to verify who sent the message, the sender must have a certificate registered in the directory service before sending the message. Registering a certificate stores the public part of the certificate in the directory service under the applicable user object. The destination queue manager then uses the digest of the certificate to locate the certificate in the directory service and retrieve the security identifier (SID) of the user who registered the certificate. The queue manager then compares this identifier to the sender identifier attached to the message, and if they are the same, the queue manager authenticates the message and places it in the destination queue after verifying that the access rights for placing messages in the queue are allowed for the sender.

Note

Message Queuing cannot perform sender authentication based on the sender's SID in a workgroup environment or for messages sent from another forest or a computer that does run on a Windows® operating system. In a workgroup environment, Message Queuing cannot access the directory service, so you cannot register a certificate, and the SID of a user in one forest is meaningless in another forest.

Similarly, Message Queuing cannot authenticate the sender of a message sent over HTTP/HTTPS or to a multicast address (an SRMP message) by comparing the SID of the user who registered the certificate with the sender identifier because the sender identifier is not conveyed in SRMP messages.

The process that Message Queuing uses to authenticate a message is the same regardless of the type of certificate that you attach to the message. The following paragraphs provide a brief description of what information each type of certificate contains and how the receiving application can use that information.

Internal Certificates

When Message Queuing is installed, an internal certificate is automatically created for the user running setup on the local computer. The first time that the user logs on to the local computer in domain mode, Message Queuing automatically registers the certificate in the directory service provided the computer can communicate with a domain controller. For more information on creating and registering internal certificates, see the Message Queuing online Help.

Internal certificates are used when operating in a Windows 2000 or Windows Server 2003 domain, where the sender identifier registered with the certificate is a SID. Without this SID, Message Queuing would not be able to authenticate who sent the message.

An internal certificate contains the public key and security identifier (SID) of the user who registered the certificate. Due to the fact that the SID is also attached to the message in its sender identifier property (PROPID_M_SENDERID or MSMQMessage.SenderId), the information in the certificate is of little use to the receiving application.

External Certificates

An external certificate is obtained from a certification authority (CA) that is trusted by the sending and receiving applications. External certificates are used when you send messages to operating environments other than the Windows 2000 or Windows Server 2003 family—environments where the sender's security identifier (SID) is meaningless. External certificates are also used when you are working in a workgroup environment or when you are working in a Windows 2000 or Windows Server 2003 domain environment and want to use more than just the sender identifier attached to the message to validate who sent the message.

Each external certificate contains the public key of the sender along with additional information requested by the certification authority that created the certificate. This additional information is not used by Message Queuing, but it may be used by the receiving application to further validate who sent the message.

A receiving application can retrieve the certificate from a message as an array of bytes (blob) and then use CryptoAPI functions to validate its chain of trust. To do this, you must also install the external certificate on the receiving computer.

Note

The information provided by external certificates is guaranteed by the certification authority that created the certificate. Message Queuing does not validate the information in the certificate.

More Information

For information on See
Using a security context structure When to Use a Security Context Structure
Registering internal or external certificates Registering a Certificate
The process of authenticating messages How Message Queuing Authenticates Messages
An overview of certificates Importing and Exporting Certificates
Importing and exporting certificates Importing and Exporting Certificates

Examples

For an example of See
Requesting authentication using an internal certificate C/C++ Code Example: Requesting Authentication Using an Internal Certificate

 Visual Basic Code Example: Requesting Authentication Using an Internal Certificate
Requesting authentication using an external certificate C/C++ Code Example: Requesting Authentication Using an External Certificate Visual Basic Code Example: Requesting Authentication Using an External Certificate
Validating authentication C/C++ Code Example: Validating Authentication Visual Basic Code Example: Validating Authentication