Share via


Routing Support in MSMQ requires Enterprise Administrator privileges

One down-side of enabling Routing Support for MSMQ is that you need to be an Enterprise Administrator to install it, as can be seen from this Technet article:

Installation permissions

 

Message Queuing computer Permission level required

Message Queuing server on a domain controller

domain administrative permissions (or member of the Domain Admins group)

Message Queuing server on a nondomain controller with Routing Support

enterprise administrative permissions (or member of the Enterprise Admins group).

Message Queuing server on a nondomain controller without Routing Support

local administrative permissions (or member of the local Administrators group)

Independent client

local administrative permissions (or member of the local Administrators group)

Dependent client

local administrative permissions (or member of the local Administrators group)

It is common not to see any effects from this restriction as installation is usually performed by the all powerful domain Administrator account.

One place you may see issues, though, is installing MSMQ on a cluster. In Cluster Administrator the newly created MSMQ resource will fail to come on line (after several attempts).

 Cluster Administrator showing MSMQ Resource in a failed state

 Looking in the event log, there will be an "Access Denied (0xC00E0025)" event for every attempt to bring the MSMQ Cluster Resource on-line.

Message Queuing objects cannot be created in Active Directory (Error: 0xC00E0025). Please verify your permissions and network connectivity.

This is because the MSMQ resources are created by the Cluster Service account and not the logged in user account. There error is confusing as you will see what looks like a good configuration in Active Directory: Users and Computers as the MSMQ object has been successfully created under the computer object for the resources network name and public queues can be created. 

The permissions issue is actually with the Active Directory objects to do with routing and these need Enterprise Admin membership (or equivalent) to update.

The options are therefore:

  • If you need routing support, add the cluster service account to the Enterprise Admins group. This may, though, conflict with some customers' security policies.
  • If you do not need routing support, then remove it. No need to change account membership.

Note - you cannot simply untick Routing Support from the local node installations. As indicated by the error message below, removing Routing Support requires a reinstallation of Message Queuing.

Routing Support cannot be removed. This operation is not supported when Message Queuing is already installed.