Updated: July 19, 2016

Applies To: Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server Technical Preview, Windows Vista

The MQGetSecurityContext function caches an internal certificate or an external certificate, the corresponding private key, the user's SID, and other security information needed to attach the certificate and sender identifier to a message when requesting authentication in a security context structure and returns the handle to this structure in an out parameter.

This function is superseded by MQGetSecurityContextEx in Windows® 2000 Service Pack 2 and later.

HRESULT APIENTRY MQGetSecurityContext(  
  LPVOID lpCertBuffer,        
  DWORD dwCertBufferLength,    
  HANDLE * phSecurityContext    


[In] Pointer to the user certificate buffer. External certificates must be in ASN.1 DER encoded format. If this parameter is NULL, the internal certificate provided by Message Queuing is used.


[In] Length of the user certificate buffer pointed to by lpCertBuffer. For internal certificates, it is set to 0.


[Out] Pointer to a variable that receives a handle to the security context structure allocated by Message Queuing.


Indicates success.


(MSMQ 1.0 only) The Message Queuing-supplied internal certificate is corrupted.


Cryptographic function (CryptoAPI) has failed.


Message Queuing could not retrieve the user's SID from the thread access token.


One of the IN parameters supplied by the operation is not valid.


There are not enough resources to complete operation (for example, not enough memory). Operation failed.


The certificate is not correctly placed in the Microsoft® Internet Explorer personal certificate store.


No internal certificate is registered, or the registered certificate is corrupted.

The MQGetSecurityContext function is obsolete. Use MQGetSecurityContextEx whenever possible. Both functions provide the same functionality, however MQGetSecurityContextEx provides more security when impersonating another user.

When you are sending authenticated messages, MQGetSecurityContext retrieves the user's SID and the information that the Message Queuing runtime needs to attach a certificate to a message, caches the information in a security context structure together with the certificate and the corresponding private key, and returns the handle to this structure in an out parameter. The handle can be used to send multiple messages. This provides an easier, more efficient way to send a large number of messages that require authentication using the same certificate. When MQGetSecurityContext is used, the sending application is only responsible for passing the security context structure (PROPID_M_SECURITY_CONTEXT) to MQSendMessage.

When using more than one certificate, the sending application must call MQGetSecurityContextEx for each certificate that is used.

After the security context is no longer needed, free the memory allocated for the security context structure by calling MQFreeSecurityContext.

For information onSee
What it means to authenticate a message: message integrity and sender authenticationMessage Authentication
The process used to authenticate a messagesHow Message Queuing Authenticates Messages

Windows NT/2000/XP: Included in Windows NT 4.0 SP3 and later.

Windows 95/98/Me: Included in Windows 95 and later.

Header: Declared in Mq.h.

Library: Use Mqrt.lib.

Message Queuing Functions

Community Additions