PROPID_M_AUTH_LEVEL
Applies To: Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server Technical Preview, Windows Vista
(Write-only.) The PROPID_M_AUTH_LEVEL property specifies whether the message should be authenticated and what type of digital signature is used.
Property ID
PROPID_M_AUTH_LEVEL
Type Indicator
VT_UI4
MQPROPVARIANT Field
ulVal
Property Value
This property can be set to one or more of the following values:
MQMSG_AUTH_LEVEL_NONE
The default. The message is not signed. Message Queuing does not need to authenticate the message when it reaches the queue.
MQMSG_AUTH_LEVEL_ALWAYS
The Message Queuing runtime signs the message using one or two types of digital signatures (this setting cannot be combined with other settings).
Non-SRMP messages are signed based on the value of the source computer digital signature registry entry. If the registry entry is not added and set, an MSMQ 1.0 signature is used. (For information on setting the source computer digital signature registry entry, see Digital Signature Registry Entries.)
SRMP messages are signed with an XML digital signature. (For information on the digital signature used to sign SRMP messages, see XML Digital Signatures.)
MQMSG_AUTH_LEVEL_MSMQ10
Obsolete. This value is superseded by MQMSG_AUTH_LEVEL_SIG10.
MQMSG_AUTH_LEVEL_MSMQ20
Obsolete. This value is superseded by MQMSG_AUTH_LEVEL_SIG20.
MQMSG_AUTH_LEVEL_SIG10
Supersedes MQMSG_AUTH_LEVEL_MSMQ10 in MSMQ 3.0. (This setting can be combined with MQMSG_AUTH_LEVEL_SIG20, MQMSG_AUTH_LEVEL_SIG30, or both.)
For non-SRMP messages, the Message Queuing runtime ignores the source computer digital signature registry entry and signs the message using only an MSMQ 1.0 signature.
For SRMP messages, the message is signed using an XML digital signature.
MQMSG_AUTH_LEVEL_SIG20
Supersedes MQMSG_AUTH_LEVEL_MSMQ20 in MSMQ 3.0. (This setting can be combined with MQMSG_AUTH_LEVEL_SIG10, MQMSG_AUTH_LEVEL_SIG30, or both.)
For non-SRMP messages, the Message Queuing runtime ignores the source computer digital signature registry entry and signs the message using an MSMQ 2.0 signature. (This setting cannot be used when sending messages to multiple destinations using distribution lists, multicast addresses, or multiple-element format names.)
For SRMP messages, the message is signed using an XML digital signature.
MQMSG_AUTH_LEVEL_SIG30
Introduced in MSMQ 3.0. (This setting can be combined with MQMSG_AUTH_LEVEL_SIG10, MQMSG_AUTH_LEVEL_SIG20, or both.)
For non-SRMP messages, the Message Queuing runtime ignores the source computer digital signature registry entry and signs the message using a multiple-destination digital signature (introduced in MSMQ 3.0) or an MSMQ 2.0 signature.
An MSMQ 3.0 multiple-destination digital signature is used if the message is sent using distribution lists or multiple-element format names.
An MSMQ 2.0 signature is used if the message is sent without using distribution lists, multicast addresses, or multiple-element format names.
HTTP messages and multicast messages, which are both sent as SRMP packets, are signed using an XML digital signature.
Remarks
The PROPID_M_AUTH_LEVEL property is only used by the sending application to request authentication. When authentication is requested, Message Queuing creates a single XML digital signature for HTTP messages or multicast messages (SRMP messages) and one or two of the three non-XML digital signatures for non-SRMP messages. The digital signatures created are used to digitally sign the message when it is sent and to authenticate the message when it reaches the computer where the destination queue resides. For more information on authenticating messages, see Message Authentication.
Authentication can be enforced at the queue level by setting the PROPID_Q_AUTHENTICATE property of the queue. When sending messages to queues that only accept authenticated messages, the message will be rejected when it reaches the queue if the authentication level of a message is set to MQMSG_AUTH_LEVEL_NONE.
Message Queuing provides different digital signatures for SRMP and non-SRMP messages. Non-SRMP signatures include the following (for a complete description, including the message properties used to create these signatures, see Digital Signatures):
MSMQ 1.0 signatures
MSMQ 2.0 signatures
Multiple-destination digital signatures (introduced in MSMQ 3.0)
XML digital signatures (introduced in MSMQ 3.0) are used whenever an SRMP message requests authentication.
The following digital signature registry entries can be added and set to specify what type of digital signature is used for non-SRMP messages. When MQMSG_AUTH_LEVEL_ALWAYS is specified, the Message Queuing runtime creates digital signatures based on the value of the digital signature registry entry on the source computer.
HKLM\SOFTWARE\Microsoft\MSMQ\Parameters\Security\SendMsgAuthn
HKLM\SOFTWARE\Microsoft\MSMQ\Parameters\Security\RcvOnlyEnhMsgAuthn
For details on setting these registry entries, see Digital Signature Registry Entries.
The receiving application can check to see if authentication was requested by retrieving one of the following read-only message properties: PROPID_M_AUTHENTICATED and PROPID_M_AUTHENTICATED_EX (introduced in MSMQ 2.0).
The PROPID_M_AUTH_LEVEL property is write-only. If the receiving application attempts to retrieve the PROPID_M_AUTH_LEVEL property, MQReceiveMessage or MQReceiveMessageByLookupId returns the warning MQ_INFORMATION_PROPERTY, the individual result for the PROPID_M_AUTH_LEVEL property is MQ_INFORMATION_PROPERTY_IGNORED, and the other properties are received correctly.
To set the authentication level of a message, include PROP_M_AUTH_LEVEL in the MQMSGPROPS structure and call MQSendMessage.
Equivalent COM Property
With COM components, the equivalent property is MSMQMessage.AuthLevel.
Example Code
The following code fragment shows how PROPID_M_AUTH_LEVEL is specified in arrays that can be used to initialize an MQMSGPROPS structure.
aMsgPropId[i] = PROPID_M_AUTH_LEVEL; // Property ID
aMsgPropVar[i].vt = VT_UI4; // Type indicator
aMsgPropVar[i].bVal = MQMSG_AUTH_LEVEL_ALWAYS;
i++;
The following examples are included in Using Message Queuing.
For an example of | See |
---|---|
Requesting authentication using an internal certificate | C/C++ Code Example: Requesting Authentication Using an Internal Certificate |
Requesting authentication using an external certificate | C/C++ Code Example: Requesting Authentication Using an External Certificate |
See Also
Message Properties
MQMSGPROPS
MQSendMessage
MSMQMessage.AuthLevel
PROPID_Q_AUTHENTICATE
PROPID_M_AUTHENTICATED
PROPID_M_AUTHENTICATED_EX