Digital Signature Registry Entries

 

Updated: July 19, 2016

Applies To: Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server Technical Preview, Windows Vista

For computers running MSMQ 2.0 and MSMQ 3.0, you have the option of specifying the type of digital signature using a message property (the authentication level) or registry entries. The registry entries described in the following section can be added and set to specify which type of signature will be attached to a message sent from the source computer and which type of signature will be used to authenticate the message on the target computer.

Use the following registry entry to specify what type of signature will be created by the Message Queuing runtime and attached to a message when the message is sent. Note that this registry entry is not present by default. If this registry entry is not added, by default, the Message Queuing runtime will create only MSMQ 1.0 signatures.

HKLM\SOFTWARE\Microsoft\MSMQ\Parameters\Security\SendMsgAuthn  

To specify the signature type, set this entry to one of the following values.

When sending messages toValueResults when authentication is requested
Target computers running any version of Message Queuing.1On MSMQ 2.0 source computers, Message Queuing creates MSMQ 1.0 and MSMQ 2.0 signatures.

On MSMQ 3.0 source computers, if the message is sent without using a distribution list, multicast address, or multiple-element format name, an MSMQ 1.0 signature and an MSMQ 2.0 signature are attached to the message.

If the message is sent using a distribution list or multiple-element format name, an MSMQ 1.0 signature and a multiple-destination digital signature are attached to the message.

If the message is sent using a multicast address, an XML digital signature is attached to the message.

This setting should be used when the sending application does not know what version of Message Queuing is running on the target computer.
Target computers running MSMQ 1.0 (default setting).2Message Queuing creates only MSMQ 1.0 signatures.

This setting should be used only when the sending application is sure that the target computer is running MSMQ 1.0.
Target computers running MSMQ 2.0 or MSMQ 3.0.4Message Queuing creates only MSMQ 2.0 signatures.

This setting should be used only when the sending application is sure that the target computer is running MSMQ 2.0 or MSMQ 3.0, and that distribution lists, multicast addresses, and multiple-element format names are not used to send messages.

If a message is sent to a distribution list or a multiple-element format name, an MSMQ 2.0 signature cannot be created, and an MQ_ERROR_CANNOT_SIGN_DATA_EX error is returned.
Target computers running MSMQ 2.0 or MSMQ 3.0.8Message Queuing creates MSMQ 2.0 or multiple-destination digital signatures.

This value should be used only when the sending application is sure that the target computer is running MSMQ 2.0 or MSMQ 3.0 and that distribution lists and multiple-element format names can be used when sending messages.

This value is not valid on MSMQ 2.0 computers.

When setting this registry entry, note that the sending application can override the registry value by setting the authentication level (PROPID_M_AUTH_LEVEL or MSMQMessage.AuthLevel) of each message that it sends. The authentication level property can be set to use the registry value, or ignore the registry value and use a specific signature.

If the sender's registry entry is set to 1 and the authentication level of the message is set to MQMSG_AUTH_ALWAYS, the Message Queuing runtime computes multiple signature types and attaches them to the message. Although creating multiple signatures reduces performance slightly on the source computer, it enables you to send messages to target computers that are running MSMQ 1.0, MSMQ 2.0, or MSMQ 3.0.

On the target computer, you can set a registry entry to specify what type of signature is accepted for authenticating messages. (Receiving applications can also use message properties to find out if authentication was requested and, if the target computer is running MSMQ 2.0 or later, what type of signature was attached to the message.)

The following registry entry, which is not present by default, specifies what type of signature the receiving computer accepts.

HKLM\SOFTWARE\Microsoft\MSMQ\Parameters\Security\RcvOnlyEnhMsgAuthn  

To specify the types of signatures that will be accepted on an MSMQ 3.0 computer, set this entry to one of the following values.

To authenticate usingSet the registry entry to
MSMQ 1.0, MSMQ 2.0, or multiple-destination digital signatures (the default behavior).0
Only MSMQ 2.0 and multiple-destination digital signatures.1

To specify the type of signature that will be accepted on an MSMQ 2.0 computer, set this entry to one of the following values.

To authenticate usingSet the registry entry to
MSMQ 1.0 or MSMQ 2.0 signatures (the default behavior).0
Only MSMQ 2.0 signatures.1

By default, a source computer uses only the MSMQ 1.0 signature to sign messages. Therefore, for compatibility, when you set this registry entry so that a receiving computer will not accept MSMQ 1.0 signatures, reset the applicable registry entry on the source computer as well.

Community Additions

ADD
Show: