MSMQMessage.AuthLevel

 

Applies To: Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server Technical Preview, Windows Vista

The AuthLevel property of the MSMQMessage object specifies whether the message should be authenticated and what type of digital signature is used.

Data type: Long
Run-time access: Read/write
Property AuthLevel As Long  

Property Value

AuthLevel can be set to one of the following values:

MQMSG_AUTH_LEVEL_NONE

The default. The message is not signed. Message Queuing does not need to authenticate the message when it reaches the queue.

MQMSG_AUTH_LEVEL_ALWAYS

Message Queuing runtime signs the message using one or two types of digital signatures.

Non-SRMP messages are signed based on the value of the source computer digital signature registry entry. If the registry entry is not added and set, an MSMQ 1.0 signature is used. (For information on setting the source computer digital signature registry entry, see Digital Signature Registry Entries.)

SRMP messages are signed with an XML digital signature. (For information on the digital signature used to sign SRMP messages, see XML Digital Signatures.)

MQMSG_AUTH_LEVEL_MSMQ10

Obsolete. This value is superseded by MQMSG_AUTH_LEVEL_SIG10.

MQMSG_AUTH_LEVEL_MSMQ20

Obsolete. This value is superseded by MQMSG_AUTH_LEVEL_SIG20.

MQMSG_AUTH_LEVEL_SIG10

Supersedes MQMSG_AUTH_LEVEL_MSMQ10 in MSMQ 3.0. For non-SRMP messages, the Message Queuing runtime ignores the source computer digital signature registry entry and signs the message using only an MSMQ 1.0 signature.

For SRMP messages, the message is signed using an XML digital signature.

MQMSG_AUTH_LEVEL_SIG20

Supersedes MQMSG_AUTH_LEVEL_MSMQ20 in MSMQ 3.0. For non-SRMP messages, the Message Queuing runtime ignores the source computer digital signature registry entry and signs the message using an MSMQ 2.0 signature. (This setting cannot be used when sending messages to multiple destinations using distribution lists, multicast addresses, or multiple-element format names.)

For SRMP messages, the message is signed using an XML digital signature.

In C++ COM applications, if the AuthLevel property is set to this value, you must use a smart pointer to the IMSMQMessage3 interface to expose this property.

MQMSG_AUTH_LEVEL_SIG30

Introduced in MSMQ 3.0. For non-SRMP messages, the Message Queuing runtime ignores the source computer digital signature registry entry and signs the message using a multiple-destination digital signature (introduced in MSMQ 3.0) or an MSMQ 2.0 signature.An MSMQ 3.0 multiple-destination digital signature is used if the message is sent using distribution lists or multiple-element format names.

An MSMQ 2.0 signature is used if the message is sent without using distribution lists, multicast addresses, or multiple-element format names.

HTTP messages and multicast messages, which are both sent as SRMP packets, are signed using an XML digital signature.

In C++ COM applications, if the AuthLevel property is set to this value, you must use a smart pointer to the IMSMQMessage3 interface to expose this property.

Remarks

The AuthLevel property is only used by the sending application to request authentication. When authentication is requested, Message Queuing creates an XML digital signature for HTTP messages or multicast messages (SRMP messages) and one or two of the three non-XML digital signatures for non-SRMP messages. The digital signature created is used to digitally sign the message when it is sent and to authenticate the message when it reaches the computer where the destination queue resides. For more information on authenticating messages, see Message Authentication.

For information on how Message Queuing authenticates messages, see Message Authentication.

Authentication can be enforced at the queue level by setting the MSMQQueueInfo.Authenticate property of the queue. When sending messages to queues that only accept authenticated messages, the message will be rejected when it reaches the queue if the authentication level of a message is set to MQMSG_AUTH_LEVEL_NONE.

Message Queuing provides different digital signatures for SRMP and non-SRMP messages. Non-SRMP signatures include the following (for a complete description, including the message properties used to create these signatures, see Digital Signatures):

  • MSMQ 1.0 signatures

  • MSMQ 2.0 signatures

  • Multiple-destination digital signatures (introduced in MSMQ 3.0)

XML digital signatures (introduced in MSMQ 3.0) are used whenever an SRMP message requests authentication.

The following digital signature registry entries can be added and set to specify what type of digital signature is used for non-SRMP messages. When MQMSG_AUTH_LEVEL_ALWAYS is specified, the Message Queuing runtime creates digital signatures based on the value of the digital signature registry entry on the source computer.

HKLM\SOFTWARE\Microsoft\MSMQ\Parameters\Security\SendMsgAuthn  
HKLM\SOFTWARE\Microsoft\MSMQ\Parameters\Security\RcvOnlyEnhMsgAuthn  

For details on setting these registry entries, see Digital Signature Registry Entries.

The receiving application can check to see if authentication was requested by retrieving one of the following read-only message properties: MSMQMessage.IsAuthenticated2 and MSMQMessage.ReceivedAuthenticationLevel (introduced in MSMQ 2.0).

Equivalent API Function Property

With API function calls, the equivalent property is PROPID_M_AUTH_LEVEL.

Example Code

The following examples are included in Using Message Queuing.

For an example of See
Setting the authentication level when requesting authentication using an internal certificate Visual Basic Code Example: Requesting Authentication Using an Internal Certificate
Setting the authentication level when requesting authentication using an external certificate Visual Basic Code Example: Requesting Authentication Using an External Certificate
Retrieving the authentication level of a message to validate authentication Visual Basic Code Example: Validating Authentication
Setting the authentication level of the queue to enforce authentication Visual Basic Code Example: Enforcing Authentication

Requirements

Windows NT/2000/XP: Included in Windows NT 4.0 SP3 and later.

Windows 95/98/Me: Included in Windows 95 and later.

Header: Declared in Mqoai.h.

Library: Use Mqoa.lib

See Also

MSMQMessage
MSMQMessage.IsAuthenticated2
MSMQMessage.ReceivedAuthenticationLevel
MSMQQueueInfo.Authenticate
PROPID_M_AUTH_LEVEL