I create a queue on my local machine in some other process as follows:
MessageQueue.Create(#".\private$\sampleQueue");
And in my reader process, I attach to it as follows:
var queue = new MessageQueue(#".\private$\sampleQueue");
When I try to do queue.Peek(), I get an access denied exception. I'm not on a domain, this is just my local workgroup computer. Any ideas?
MSMQ uses different protocols for it's work:
Pushing information (sending messages) uses MSMQ protocol.
Pulling information (receiving messages, getting properties, etc) using RPC protocol.
If it is not a simple permissions issue (which it is very likely to be) then you need this blog post:
Understanding how MSMQ security blocks RPC traffic
http://blogs.msdn.com/b/johnbreakwell/archive/2010/03/24/understanding-how-msmq-security-blocks-rpc-traffic.aspx
Cheers
John
If you r-click on the queue in Computer Management and select properties, do you have the appropriate permissions set on the Security tab?
The credentials used by the process that creates the queue must be different from the credentials of the process used to read the queue. If that is the way it must be, then you will need to specifically grant the needed read permissions on the queue after you create it.
Related
1) i like to know how sql server establish a channel between client & db. i guess there must be a channel and that why sql server can send notification to client through that channel. please discuss this issue in detail. because i saw many article on sql dependency but every body gives the code but no body explaining how it works in details.
What is Service Broker?
Service Broker architecture allows you to build loosely coupled SQL Server instances so that the instances talk with each other using normal form of messaging. Service Broker uses TCP/IP to transmit messages form the network and hence allows encrypted messaging. It is both for applications which use SQL Server instance or for applications that distribute the work into more than one SQL server instance. Service Broker allows to use Queue to hold messages and hence the messages are processed one by one without the caller to wait to receive the message.
1) i like to know service broker pass the message always in encrypted format?
2) Service Broker allows to use Queue to hold messages. what is the name of that queue used by service broker. how can i see what is stored in that queue?
3) i saw many people create queue but did not mention why they created? they also did not use that queue in their code. here is one url & sample code
http://www.dreamincode.net/forums/topic/156991-using-sqldependency-to-monitor-sql-database-changes/
CREATE QUEUE NameChangeQueue;
CREATE SERVICE NameChangeService ON QUEUE NameChangeQueue ([http://schemas.microsoft.com/SQL/Notifications/PostQueryNotification]);
GRANT SUBSCRIBE QUERY NOTIFICATIONS TO YourUserName;
ALTER DATABASE YourDatabaseName SET ENABLE_BROKER;
they never use NameChangeQueue queue why ?? how do i know who will use this queue?
4) even i saw people create role but never know why role would be require in this case?
so please discuss ALL my points in detail because i need to understand all the points. thanks
First read The Mysterious Notification to understand how Query Notifications work. SqlDependency is just a .Net wrapper leveraging Query Notifications. This should answer most of your questions.
Query Notifications deliver the notifications using Service Broker (SSB) locally to a queue in the database. While SSB can encrypt traffic, this is irrelevant for SqlDependency since the delivery is local, within the server process. The client application gets the notifications by posting a WAITFOR(RECEIVE) on the queue using an ordinary SqlConnection.
In the example you posted the NameChangeQueue is never used, indeed. By using a SqlDependency object the author is actually using the temporary queue deployed just-in-time when it called SqlDependency.Start(). The author could had used instead the lower level SqlNotificationRequest as described in Using SqlNotificationRequest to Subscribe to Query Notifications which allows you to specify the queue to be used.
The permissions required are described in Query Notification Permissions, but if you use SqlDependency then you will also need permissions to create the temporary queue and stored procedure used by SqlDependency.
Read the articles linked and if you have more questions, ask them as new questions here (don't post more questions as comments please).
I have created a Private MSMQ and I am able to send messages to it. What I am now looking to do is to only allow a single user access to the queue and then send messages to that queue using that users credentials.
I am thinking about impersonating the user (I have an impersonator class) before sending the message but not sure how to do this.
any ideas on whats the best way to do this.
Oh! I am using C#.
What user will be running the executable? You can simply give that user access to the queue, and avoid impersonation altogether.
Impersonation is usually useful when you try to run different pieces of code as several different users. If you don't need several users, don't bother with impersonating at all.
I am running a windows service to which I send messages over a NetNamedPipeBinding. The messages are send from a client application which is triggered by a GPO. I just installed the service and client on a new server and I'm getting the following message:
System.ServiceModel.EndpointNotFoundException:
There was no endpoint listening at
net.pipe://localhost/VOXAServices/VOXADefaultPipe that could accept the
message. This is often caused by an incorrect address or SOAP action.
See InnerException, if present, for more details.
There is no inner exception. If I run the client application by double-clicking it's icon on the desktop, it runs without a problem. I manage the code for both the windows service and client application, so I can change whatever I need to. But so far, I'm pretty convinced that the binding, contract, and address are all correct (since everything runs fine when run from the desktop). I believe the problem must be with the client app being run from a GPO. But I can't think of any reason why that would cause this error.
UPDATE:
I read this this on Microsoft's website:
A named pipe is an object in the Windows operating system kernel, such
as a section of shared memory that processes can use for
communication. A named pipe has a name, and can be used for one-way or
duplex communication between processes on a single machine.
When communication is required between different WCF applications on a
single computer, and you want to prevent any communication from
another machine, then use the named pipes transport. An additional
restriction is that processes running from Windows Remote Desktop may
be restricted to the same Windows Remote Desktop session unless they
have elevated privileges.
(Choosing a Transport, Emphasis added)
I need the client process to run in the context of the (unprivileged) user and having a UAC dialog pop up is not an option. Is there anyway for me to give this client process elevated privileges while keeping the process running in the user context and not making the user privileged?
UPDATE #2:
It appears that there is such a thing as global and local (to the windows session) Named Pipes. I believe my windows service is creating a local named pipe and that if I can force it to create a global named pipe, it would solve my problem. (This explains why I couldn't see my pipe in sysinternals "Process Explorer", even though my client app could find it if I launched it from a privileged session). The trouble is, I don't know (and can't seem to find out) how to force a named pipe to be created globally (c#). Any ideas?
The mechanism by which WCF clients find WCF service NetNamedPipe endpoints involves a kernel shared memory object which the service uses to tell clients the actual name of the pipe to be used. If clients are going to be in a different logon session to the server, this shared memory object must be in the Global and not the Local kernel namespace. The named pipes themselves have a single namespace, visible to all clients. You cannot directly control the namespace WCF uses for the shared memory object, but it will be the Global kernel namespace provided that your server is a Windows Service running with SeCreateGlobalPrivilege. Your question seems to imply that this is the case, so I'm sceptical whether your problem is connected with kernel object namespaces.
Two other possible causes are:
The ACLs which protect both the shared memory object and the named pipe. These will always deny access to any security context which has membership of the NETWORK USERS group (SID S-1-5-2). This enforces the WCF guarantee of no remote access to named pipe endpoints.
If you are running on Vista or later, the Mandatory Integrity level of the client process must not be lower than the Mandatory Integrity level of the kernel objects (which will be the implied level - Medium - unless you have taken special steps to elevate using Mandatory Integrity Labels)
I don't know enough about the security context in which your client process started by the GPO would run to advise further, but I suggest you check these two possibilities and post further updates to your question accordingly.
It is possible have one MSMQ queue in one machine and read masseges from that queue from another machine?
If yes, what is the path i should use in Create method from MessageQueue class?
Thanks
It's definitely possible to read messages from a queue on another machine, depending on which version of Windows you're running. It seems you're also asking if it's possible to create message queues on another machine. According to the documentation here, you simply use the format "MachineName\Private$\QueueName" for a private queue or "MachineName\QueueName" for a public queue.
In my experience, getting the permissions set up to allow remote message queue reading is a bit tricky; getting the right permissions set for allowing the creation of message queues might be even trickier. You may want to consider using pre-created message queues.
I need to create a Private message queue on a Remote computer. All me research indicates this is not possible through the System.Messaging objects. Can anyone confirm/deny this. My other option is to create an addition service on the remote host that listens for requests to create queues and then creates them locally.
Any better/simpler ideas would be welcome.
You can't and you shouldn't.
MSMQ works like a mailbox, you only have to create an inbox, the outbox is created by MSMQ itself.
Indeed just create a sperate service that creates the queue on the remote machine, by installing it localy.
You can't and its annoying. MSMQ is strange in the windows environment. there are allot of differences about what you can do locally and remotely. There is nothing reasonable to do about it. Just live with it.