Sending to MSMQ with Integrated Authentication
What are the rules for
when a client needs to support Active Directory integration for sending to an
MSMQ queue?
The circumstances may seen mysterious for when you need the
client to be joined to a domain to take advantage of Active Directory
integration, but the rules turn out to actually be pretty simple. This should help you avoid seeing errors like
the following:
Binding validation
failed because the binding's MsmqAuthenticationMode property is set to
WindowsDomain but MSMQ is installed with Active Directory integration disabled.
The channel factory or service host cannot be opened.
The authentication mode of the MSMQ transport and the
protection level of the message are interrelated, and these both are related to
when you need to be using Active Directory.
Rather than making you assemble the various combinations as a logic
puzzle, I've digested the results into a table explaining when Active Directory
is required to pass validation.
|
|
Protection None
|
Protection Sign
|
Protection EncryptAndSign
|
|
Authentication None
|
Not required
|
Not supported
|
Not supported
|
|
Authentication Certificate
|
Not supported
|
Not required
|
Required
|
|
Authentication
WindowsDomain
|
Not supported
|
Required
|
Required
|
The same rules apply to both sides so you're covered for the
explanation of the service as well.
Next time: Customizing Exceptions for Validation
