MSMQ with ‘Authenticate’ enabled for communicating with Dynamics AX

Hereby my findings on how to communicate with a remote MSMQ with the ‘Authenticate’ property set (required for Dynamics AX MSMQ inbound Channels).

There are 2 ways how MSMQ (4+) works, either in workgroup mode (when you only install MSMQ) or in active directory mode (when you choose 'Directory Integration').

The Logon Info only works when you work in workgroup mode. When you set the 'Authenticate' flag on the Queue the Logon Info is useless...implicitly you are using personal user certificates that are installed when you logon to the machine.

image

So my issue was resolved once i got it working with the certificates, although i would expect that the Logon Info should work hereby my resolution:

- Logon to the client machine where the Send port is defined using the Host instance account

- Open Features\MSMQ\Properties

image

- Go to the tab 'User Security'

image

- Click on 'Register' to Register the public part of the certificate in the active directory (this is the public certificate used during user validation)

- Click on 'Renew' to install the private part of the certificate in the local machine

image

- Repeat these steps on each machine the user is involved on (e.g. Server/Client)

When sending a message from the client machine the private part of the certificate is used to determine the public certificate in the active directory, this makes the MSMQ server trust the user so that the message is written in the queue using the correct authentication.

image

Some useful resources:

post from John Breakwell

MSDN

Some errors/solutions

Message was rejected

Message Queuing could not authenticate a message sent to queue ‘…….’. The message was rejected because the queue only accepts authenticated messages. It is possible that sender did not sign the message, or signed it with a self-signed certificate. A negative arrival acknowledgement will be sent if requested by the sender. This event is logged at most once per 600 seconds. To change this setting, set \HKLM\Software\Microsoft\MSMQ\Parameters\Event2195 registry value to desired time in seconds.

Cause: ‘Authenticate’ is checked on the queue, however the internal certificate does not match the public key in the active directory / MSMQ certificate store.

Solution: Renew Internal certificaat

CryptoGraphic function failed

The adapter failed to transmit message going to send port "SendPort1" with URL "FORMATNAME:DIRECT=OS:…". It will be retransmitted after the retry interval specified for this Send Port. Details:"A cryptographic function failed.".

Cause: ‘Authenticate’ is checked on the queue, however the certificate is not correctly registered.

Solution: Execute the procedure voor the certificate registration.

 

 

Cheers,

Sander

Comments

Anonymous said…
Awesome, a very good read. By the way, did you know that anegis consulting, microsoft dynamics erp software's gold partner offers you further support, after the implementation is done? Yayy!
1:46 PM
Post a Comment

Popular posts from this blog

Azure implementation guidelines

In My post ‘ Service Bus Management ’ I pointed out a way of implementing a DTAP strategy for managing the Service Bus environment. There’s now a great post available from Microsoft which goes into more detail about other aspects of managing the Azure subscriptions and other artefacts which is quite useful when setting up your Azure environments. Follow this link to the ‘Azure Implementation Guidelines’ HTH, Sander
Read more

Focus and innovation - recap of the last 2 years

It's been a long time since my last post. Hereby a partial explanation for that, with the note that this blog will remain active for the purpose of being a resource for historical references. My IT career started with programming, and adventures within holland, as well as overseas. When I realised programming is something you can specify, I figured that providing added value is crucial for a long term career and decided to focus on process centric roles. I started with webservice integration and eventually from that to process integration using BizTalk. The great feeling when discussing high level processes and implementing solutions within days, even highly scalable and interfacing with LOB systems is great. After several years of implementing solutions like these, I started questioning if all of this work was justified by the business case, if the solution was actually contributing, if the choices had been valid. In other words, I needed to understand the choices made. When...
Read more

BizTalk Pub/sub vs Topics based routing–discussion

My colleagues and I had a brief discussion about the subject ‘Topics’ and what it brings… Do you all agree/disagree with the following statement: topic-based pub-sub messaging doesn’t really exist in BizTalk “In my opinion; I disagree, as BizTalk offers the following 'out-of-the-box' • Message Routing (f.e build in context properties like message type, trading partner, operation etc) • Content Routing (f.e. promoted properties, message inspection in orchestrations/pipelines icw orchestration logic)” My colleague Rene Brauwers Here my 2 cents…. I agree that it exists...however the current offerings in BizTalk are tightly coupled, making the usage far from perfect. When doing content based routing on custom fields (promoted properties), you will be making the solution message-coupled; Your custom message property schema is deployed, and the message filter on these fields have a direct relationship with this property schema. Making any change to this schema will g...
Read more