Messages Sent to a Queue Are Rejected

  • Article

Applies To: Windows Server 2008

This problem typically occurs when attempting to send messages to a Message Queuing queue for which access rights are restricted or for which the security context of the sender cannot be verified. When this problem occurs, attempts to send messages to a queue are rejected. This problem can also occur for reasons other than insufficient access rights, such as if a Message Queuing computer or queue quota has been reached or due to encryption failures.

Diagnosis

The Message Queuing service on the receiving computer performs an access check to check the sender's security ID (SID) context against the security descriptor (SD) of the destination queue. If the access check is completed and the sender has permissions to send to the queue, the message is accepted. If the access check is completed and the sender does not have permissions, it is rejected. If the access check itself cannot be completed and fails, the message is also rejected.

Resolution

Follow these steps to grant the appropriate permissions to the sender and ensure that Message Queuing can perform an access check of the sender's credentials.

To grant appropriate permissions to the sender

  1. Click Start, point to Run, type compmgmt.msc, and press ENTER to display the Computer Management MMC console.

Note

You must be logged on as a member of the local Administrators group before running the Computer Management MMC console.

  1. In the console tree, right-click the applicable queue.

    Where?

    • Computer Management/Services and Applications/Message Queuing/YourQueueFolder (Public Queues or Private Queues)/YourQueue

  2. Click Properties.

  3. Click the Security tab.

  4. Select a group or user account from the list of accounts under Group or user names. If the account is not already listed click Add to add the appropriate group or user account and then select the account.

  5. Grant the Send Message permission to the selected account.

To ensure that Message Queuing can perform an access check of the sender's credentials

  1. Ensure that the queue is located in the same domain as the computer that sent the message or is in a trusted domain.

  2. Add the Message Queuing service account of the sending computer to the Windows Authorization Access Group of the receiving computer, which has access to this TokenGroupsGlobalAndUniversal attribute of the sender's user object. This attribute must be read by the receiving computer to successfully complete an access check.

Note

Only users with domain administration permissions can add members to this group. You can add the Message Queuing service account to the group in one of two ways. You can manually add the relevant accounts to the Windows Authorization Access Group, repeating the operation for each Message Queuing computer requiring this permission. Alternatively, as a less secure practice, you can add the Authenticated Users group to the Windows Authorization Access Group. This grants every authenticated user, including the Message Queuing service on any computer, access to the TokenGroupsGlobalAndUniversal attribute for all users, and requires no further manual administration.

Verification

After following the steps listed above, verify that you can send messages to the specified Message Queuing queue.

See Also

Concepts

Access Control for Message Queuing
Encryption for Message Queuing
Messages Can No Longer Be Delivered to a Particular Computer or Queue