MSMQ: do 2 servers need to be in same domain to be able to access private queues?

As the title says - i have 3 servers:

server-1 [wcf services] server开发者_开发技巧-2 [wcf services] server-3 [esb using rhino.esb]

So - server 1 publishes message to server-3 esb server 2 subscribes to messages from server 1 via server-3 esb

do they all need to be in the same domain or anything?

For security there is no difference between public and private queues - "public" just means published in Active Directory.

Also, you need to differentiate between "different domain" and "different forest". I assume you mean the latter. Two domains in the same forest share the same security database so would not be a problem.

Do not regard Access Control Lists on queues as being a robust form of security. A message can be sent with the SID of any account to get round the queue permissions. Authentication with internel (MSMQ) or external certificates is a much better alternative if security is an issue.

• How to send authenticated MSMQ messages without using a domain account
• Authenticating MSMQ messages between forests
• Cross-forest MSMQ? You need to be trusting
• "How do I send MSMQ messages between domains?"
• Understanding how MSMQ security blocks RPC traffic

Cheers
John Breakwell

No. But its less secure or more complicated. Depending if you are using no security ( everyone has access) or certificates. Look at Securing Messages Using Transport Security.

Private queues are just accessed via a TCP port, so there is no need for the hosting server to even be on a domain for the MSMQ queue to be accessible. However, I would recommend that you apply transport-level security at the network layer (i.e. firewalls) to prevent any unauthorised traffic from putting messages on / retrieving from the queues.