MSMQ Permissions Issue

I have a custom C# application that runs every night and sends a list of messages to a remote private MSMQ instance. The remote private queue then sends acknowledgement messages back telling my application that the message was delivered successfully. If it receives a message type back that it doesn't expect, I Trace.LogError() the unexpected message to the event log and continue on with the next one.

The Problem

I came in to work today to see that all of the messages that were supposed to get sent last night had not been delivered. They each logged an Access to Message Queuing system is denied. error in the event log. Off the top of my head, the issue could be that I switched the calling C# application to run under a different account yesterday. Let's check the permissions!

The Solution

The first thing that I should check would be the remote private queue. There must be some difference in the permissions between the Account A (the prior account) and Account B (the new account). If I right-click on the remote private queue in Computer Management, I can select the properties and check the Security.

Yep, Account A has Full Control over this queue. I then add Account B and give it Full Control just like Account A. I close the dialogs and then I'm done!

Actually, while I'm thinking about it, I should probably check the acknowledgment queue on the calling machine.

MSMQ communicates queue-to-queue. This means if you want to send a message to a remote queue, the message has to originate from a MSMQ instance on your local machine.

If there was a permissions issue sending a message to the remote private queue, it's possible that the local private queue that receives the acknowledgment messages could have the same issue.

I open up Computer Management and right-click on the acknowledgement queue to view the properties and check the Security. Same issue! Account A has Full Control and Account B doesn't. I add Account B to be safe.

Re-running the process sent all the messages successfully!

What I learned

Local and remote private queues have permissions that need to be updated in order to send messages back and forth.

I also learned that if your code creates the local acknowledgement queue, it will give whatever account that created it the necessary permissions. So the first time that the code ran and created the local private queue, it was running under Account A and gave that account permissions.