Thursday, June 02, 2011

MSMQ with ‘Authenticate’ enabled for communicating with Dynamics AX

Hereby my findings on how to communicate with a remote MSMQ with the ‘Authenticate’ property set (required for Dynamics AX MSMQ inbound Channels).

There are 2 ways how MSMQ (4+) works, either in workgroup mode (when you only install MSMQ) or in active directory mode (when you choose 'Directory Integration').

The Logon Info only works when you work in workgroup mode. When you set the 'Authenticate' flag on the Queue the Logon Info is useless...implicitly you are using personal user certificates that are installed when you logon to the machine.

image

So my issue was resolved once i got it working with the certificates, although i would expect that the Logon Info should work hereby my resolution:

- Logon to the client machine where the Send port is defined using the Host instance account

- Open Features\MSMQ\Properties

image

- Go to the tab 'User Security'

image

- Click on 'Register' to Register the public part of the certificate in the active directory (this is the public certificate used during user validation)

- Click on 'Renew' to install the private part of the certificate in the local machine

image

- Repeat these steps on each machine the user is involved on (e.g. Server/Client)

When sending a message from the client machine the private part of the certificate is used to determine the public certificate in the active directory, this makes the MSMQ server trust the user so that the message is written in the queue using the correct authentication.

image

Some useful resources:

post from John Breakwell

MSDN

Some errors/solutions

Message was rejected

Message Queuing could not authenticate a message sent to queue ‘…….’. The message was rejected because the queue only accepts authenticated messages. It is possible that sender did not sign the message, or signed it with a self-signed certificate. A negative arrival acknowledgement will be sent if requested by the sender. This event is logged at most once per 600 seconds. To change this setting, set \HKLM\Software\Microsoft\MSMQ\Parameters\Event2195 registry value to desired time in seconds.

Cause: ‘Authenticate’ is checked on the queue, however the internal certificate does not match the public key in the active directory / MSMQ certificate store.

Solution: Renew Internal certificaat

CryptoGraphic function failed

The adapter failed to transmit message going to send port "SendPort1" with URL "FORMATNAME:DIRECT=OS:…". It will be retransmitted after the retry interval specified for this Send Port. Details:"A cryptographic function failed.".

Cause: ‘Authenticate’ is checked on the queue, however the certificate is not correctly registered.

Solution: Execute the procedure voor the certificate registration.

 

 

Cheers,

Sander

1 comment:

Cindy Dy said...

I am very happy to locate your website. I just wanted to thank you for the time you spent on this great article. I definitely enjoyed reading it and I have you bookmarked to check out new stuff you post.


Kris
www.gofastek.com