MSMQMessage.AuthLevel
Applies To: Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server Technical Preview, Windows Vista
The AuthLevel property of the MSMQMessage object specifies whether the message should be authenticated and what type of digital signature is used.
| Data type: | Long |
| Run-time access: | Read/write |
Property AuthLevel As Long
Property Value
AuthLevel can be set to one of the following values:
MQMSG_AUTH_LEVEL_NONE
The default. The message is not signed. Message Queuing does not need to authenticate the message when it reaches the queue.
MQMSG_AUTH_LEVEL_ALWAYS
Message Queuing runtime signs the message using one or two types of digital signatures.
Non-SRMP messages are signed based on the value of the source computer digital signature registry entry. If the registry entry is not added and set, an MSMQ 1.0 signature is used. (For information on setting the source computer digital signature registry entry, see Digital Signature Registry Entries.)
SRMP messages are signed with an XML digital signature. (For information on the digital signature used to sign SRMP messages, see XML Digital Signatures.)
MQMSG_AUTH_LEVEL_MSMQ10
Obsolete. This value is superseded by MQMSG_AUTH_LEVEL_SIG10.
MQMSG_AUTH_LEVEL_MSMQ20
Obsolete. This value is superseded by MQMSG_AUTH_LEVEL_SIG20.
MQMSG_AUTH_LEVEL_SIG10
Supersedes MQMSG_AUTH_LEVEL_MSMQ10 in MSMQ 3.0. For non-SRMP messages, the Message Queuing runtime ignores the source computer digital signature registry entry and signs the message using only an MSMQ 1.0 signature.
For SRMP messages, the message is signed using an XML digital signature.
MQMSG_AUTH_LEVEL_SIG20
Supersedes MQMSG_AUTH_LEVEL_MSMQ20 in MSMQ 3.0. For non-SRMP messages, the Message Queuing runtime ignores the source computer digital signature registry entry and signs the message using an MSMQ 2.0 signature. (This setting cannot be used when sending messages to multiple destinations using distribution lists, multicast addresses, or multiple-element format names.)
For SRMP messages, the message is signed using an XML digital signature.
In C++ COM applications, if the AuthLevel property is set to this value, you must use a smart pointer to the IMSMQMessage3 interface to expose this property.
MQMSG_AUTH_LEVEL_SIG30
Introduced in MSMQ 3.0. For non-SRMP messages, the Message Queuing runtime ignores the source computer digital signature registry entry and signs the message using a multiple-destination digital signature (introduced in MSMQ 3.0) or an MSMQ 2.0 signature.An MSMQ 3.0 multiple-destination digital signature is used if the message is sent using distribution lists or multiple-element format names.
An MSMQ 2.0 signature is used if the message is sent without using distribution lists, multicast addresses, or multiple-element format names.
HTTP messages and multicast messages, which are both sent as SRMP packets, are signed using an XML digital signature.
In C++ COM applications, if the AuthLevel property is set to this value, you must use a smart pointer to the IMSMQMessage3 interface to expose this property.
Remarks
The AuthLevel property is only used by the sending application to request authentication. When authentication is requested, Message Queuing creates an XML digital signature for HTTP messages or multicast messages (SRMP messages) and one or two of the three non-XML digital signatures for non-SRMP messages. The digital signature created is used to digitally sign the message when it is sent and to authenticate the message when it reaches the computer where the destination queue resides. For more information on authenticating messages, see Message Authentication.
For information on how Message Queuing authenticates messages, see Message Authentication.
Authentication can be enforced at the queue level by setting the MSMQQueueInfo.Authenticate property of the queue. When sending messages to queues that only accept authenticated messages, the message will be rejected when it reaches the queue if the authentication level of a message is set to MQMSG_AUTH_LEVEL_NONE.
Message Queuing provides different digital signatures for SRMP and non-SRMP messages. Non-SRMP signatures include the following (for a complete description, including the message properties used to create these signatures, see Digital Signatures):
MSMQ 1.0 signatures
MSMQ 2.0 signatures
Multiple-destination digital signatures (introduced in MSMQ 3.0)
XML digital signatures (introduced in MSMQ 3.0) are used whenever an SRMP message requests authentication.
The following digital signature registry entries can be added and set to specify what type of digital signature is used for non-SRMP messages. When MQMSG_AUTH_LEVEL_ALWAYS is specified, the Message Queuing runtime creates digital signatures based on the value of the digital signature registry entry on the source computer.
HKLM\SOFTWARE\Microsoft\MSMQ\Parameters\Security\SendMsgAuthn
HKLM\SOFTWARE\Microsoft\MSMQ\Parameters\Security\RcvOnlyEnhMsgAuthn
For details on setting these registry entries, see Digital Signature Registry Entries.
The receiving application can check to see if authentication was requested by retrieving one of the following read-only message properties: MSMQMessage.IsAuthenticated2 and MSMQMessage.ReceivedAuthenticationLevel (introduced in MSMQ 2.0).
Equivalent API Function Property
With API function calls, the equivalent property is PROPID_M_AUTH_LEVEL.
Example Code
The following examples are included in Using Message Queuing.
| For an example of | See |
|---|---|
| Setting the authentication level when requesting authentication using an internal certificate | Visual Basic Code Example: Requesting Authentication Using an Internal Certificate |
| Setting the authentication level when requesting authentication using an external certificate | Visual Basic Code Example: Requesting Authentication Using an External Certificate |
| Retrieving the authentication level of a message to validate authentication | Visual Basic Code Example: Validating Authentication |
| Setting the authentication level of the queue to enforce authentication | Visual Basic Code Example: Enforcing Authentication |
Requirements
Windows NT/2000/XP: Included in Windows NT 4.0 SP3 and later.
Windows 95/98/Me: Included in Windows 95 and later.
Header: Declared in Mqoai.h.
Library: Use Mqoa.lib
See Also
MSMQMessage
MSMQMessage.IsAuthenticated2
MSMQMessage.ReceivedAuthenticationLevel
MSMQQueueInfo.Authenticate
PROPID_M_AUTH_LEVEL