NServiceBus & MSMQ: How To Change the Default Permissions on the Queue?

Question

My team is on our first attempt at using NServiceBus (v2.0), using MSMQ as the backing storage. We're getting stuck on queue permissions.

We're using it in a Web Forms application, where the user account the website runs under is not an administrator on the machine.

When NServiceBus creates the MSMQ queue, it gives the local administrators group full control, and the local everyone and anonymous groups permissions to send messages.

But then later, as part of initializing the queue, NServiceBus tries to read all of its messages. That's where we run into the permissions error. Since the website isn't running as an administrator, it's not allowed to read messages.

How are other people dealing with this? Do your applications run as administrators? Or do you create the MSMQ queue in your code first, giving it the permissions you need, so that NServiceBus doesn't have to create it? Or is there a bit of configuration we're missing? Or are we likely writing our code that uses NServiceBus incorrectly to be running into this?

Sam Sam · Accepted Answer · 2010-05-25T01:18:56

We create the queues in an Installer subclass and execute it as part of the msi install. Ownership of the queue is a shortcut, but the relevant permissions can be set through AccessControlList:

MessageQueue queue = MessageQueue.Create(queueName, true);
AccessControlList permissions = new AccessControlList();
permissions.Add(new MessageQueueAccessControlEntry(
    new Trustee(this.serviceProcessInstaller.Username),
    MessageQueueAccessRights.FullControl, 
    AccessControlEntryType.Set));
// Add additional permissions for admins & message-sending accounts
queue.SetPermissions(permissions);

I feel the queue auto-creation feature of NServiceBus is better suited for development, not deployment.

NServiceBus & MSMQ: How To Change the Default Permissions on the Queue?

4 Answers