Configuring MSMQ private queue permissions for a remote IIS Application Pool Identity

3
votes

My setup

  1. ServerA is running a web app on IIS 7 using a local IIS Application Pool identity.

  2. ServerB is running MSMQ, hosting a private queue we'll call MyQueue

  3. Using the Message Queueing snap-in on ServerB, I have configured MyQueue to grant Full Control to the ServerA's domain account (ServerA$) as well as the ANONYMOUS LOGON user

What I Want To Happen

I want the web app on ServerA to send a message to MyQueue on ServerB

What is Actually Happening

The message never shows up on ServerB and I get no error message. I have turned on negative source journaling and can see that I'm getting an "Access Denied" error in the dead letter queue.

If I grant Full Control to Everyone, then the message shows up, but I don't want to do this.

Why I Thought This Would Work

This article about IIS Application Pool Identities says that

Using the Network Service account in a domain environment has a great benefit. Worker process running as Network Service access the network as the machine account. Machine accounts are generated when a machine is joined to a domain. They look like this:

domainname\machinename$,

For example:

mydomain\machine1$ The nice thing about this is that network resources like file shares or SQL Server databases can be ACLed to allow this machine account access.

WHAT ABOUT APPLICATION POOL IDENTITIES?

The good news is that application pool identities also use the machine account to access network resources. No changes are required.

Based upon that information, I would assume that granting MY_DOMAIN\SERVERA$ permissions on MyQueue, then things should work. But they aren't.

Any idea what I'm doing wrong?

2
c#asp.netmsmqwindows-server-2008-r2
If you add "Everyone" and it works then it means the account that accesses the queue is one it knows about. That is, the account is a member of the local machine or domain security databases. Anonymous Logon doesn't work as that would be used for accounts that are not known about, such as using a local machine account to access a remote queue.John Breakwell
you need to add the IIS account not the domain account the computer is logged into. Not sure what version of IIS you are using so please read this for clarity on the account. iis.net/learn/get-started/planning-for-security/…Sorceri
Just wanted to say that I haven't forgotten about you or your advice, John and Sorcrei. I'm trying to get auditing enabled on the server in question, so I can see exactly which user is getting denied access to the queue. This involves our SysAdmin group, so I'm waiting on them to set me up. I'll check back in when I have more information, or hopefully a solution. :)JamieGaines
@JamieGaines Any updates on this?Louis Haußknecht
We are having the same issue and wondered if you had managed to find a fix for this?EdSalter

2 Answers

3
votes

This question is ageing now, but I've managed to query MSMQ from an IIS application using an ApplicationPoolIdentity user:

  1. Go to the application pool list in the IIS Management Console and note the application pool name for the desired application
  2. Right-click on the MSMQ queue in Server Manager > Properties > Security
  3. Click Add
  4. Enter the object name IIS APPPOOL\{application pool name from step 1}. This should auto-complete to the name of the application pool
  5. Grant the required permissions - generally this will be Peek Message and/or Receive Message

It's better to avoid granting permissions to Everyone.

Reference: https://serverfault.com/a/81246/24816

0
votes

I have just stumbled upon this and have found resolution in my case, if I setup IIS to run as the network service account the remote queue will receive the message I end to it.

This has eaten up a lot of my time today, now I need to work out if running IIS as network service is actually ok and does not break anything else.