MSMQ 创建错误:工作组安装计算机不支持该操作/用户的内部消息队列证书不存在 [英] MSMQ creating errors: A workgroup installation computer does not support the operation / User's internal Message Queuing certificate does not exist
问题描述
这让我有点抓狂,所以如果有人能帮助我,我将不胜感激!!
我正在尝试将消息从域内的服务器发送到公共队列到域控制器,但出现错误:
'工作组安装计算机不支持该操作.'
我已经在域控制器上设置了 MSMQ,并在公共队列文件夹中创建了一个消息队列.
我知道以前有人问过类似的问题:
但是我已经尝试了所有建议的方法,但仍然出现相同的错误.
所以带您了解我从建议中尝试过的内容:
a) 没有选择 AD 集成作为设置选项 - 安装 msmq 时选择了这个
b) 选择了 AD 集成但未能初始化;检查事件日志 - 我已经检查了我的事件日志,我有消息 - 包 MSMQ 服务器包的可选更新 MSMQ-ADIntegration 已成功打开.
c) 检查 Active Directory 中的孤立对象 - 我已经检查了 Active Directory 用户和计算机中的 LostAndFound 目录以检查 AD 中没有孤立对象
并且我已按照以下说明进行操作:http://technet.microsoft.com/en-us/library/cc730960.aspx
我也卸载了重新启动并重新安装并再次检查我没有任何孤立对象.
所有发送消息的服务器都需要安装 msmq 吗?目前我只在域控制器上拥有它,我认为这就足够了.
编辑 1:我已将 msmq 添加到所有发送消息的服务器(它们是负载平衡的,因此可以是其中任何一个)他们已经安装了 msmq 但没有公共队列,所以我重新安装并重新安装(检查所有适当的选择 msmq -Directory 服务集成/路由服务等时的框,它们现在有公共队列 我现在收到一个新错误,如下所示:
'用户的内部消息队列证书不存在.'
编辑 2:
我仍在努力解决这个问题,但已经取得了一些进展 - 当我检查我的域控制器的证书颁发机构时,它在那里,但是当我查看 IIS 时,它缺少虚拟目录 CertServ - 请参阅链接以获取解释:
>http:///msdn.microsoft.com/en-us/library/windows/desktop/ms755466%28v=vs.85%29.aspx
一旦我解决了这个问题,我将为我的每台服务器申请一个计算机证书,如下所示:
http://technet.microsoft.com/en-us/library/cc740173%28v=ws.10%29.aspx
希望这会奏效!
编辑 3:好的,由于垃圾互联网的原因,我无法申请证书,但希望这将在接下来的几天内得到纠正.所以我尝试了自我认证,这没有什么不同,并取消了 UseAuthentication = true, UseEncryption = true 并取消选中经过身份验证的框并将加密设置为可选.我不再收到错误消息,这让我相信身份验证有问题(与 Active Directory 相关)但是即使它没有失败,因为没有显示错误消息并且我希望显示页面在我的网站上显示.我的域控制器公共队列消息中没有消息...
我已在本地完成此操作,当我尝试在导致问题的域中执行此操作时似乎是这样.
编辑 4:
只是让你知道我在这方面的进展 - 我想确保消息被发送到域控制器,所以我查看了 MSMQ End2End 监控 - 所以在每个 Web 服务器上(消息是从) 和域控制器(消息发送到)在事件查看器>应用程序和服务日志> Microsift> Windows >MSMQ >End2End 我启用了日志记录.
当我尝试在 Web 服务器上再次发送消息时,记录了 2 个 End2End 事件:
ID 为 CN=msmq,CN=ETAILWEB03,CN=Computers,DC=Etail,DC=local7 的消息被发送到队列 PUBLIC=d7ee680c-11ec-4d9a-aa31-528dcc9b1eba
通过网络发送的消息
在 End2End 事件中的域控制器上:
- 消息来自网络
所以从这里看来消息已经到达,所以我现在正在寻找消息丢失的地方:
https://groups.google.com/forum/?fromgroups=#!topic/microsoft.public.msmq.networking/88FYCvO2YwQ
编辑 5:
好的,下面:
已收到但未传递 Windows 2008 R2 的 MSMQ 消息
我添加了一个匿名用户,并且能够向队列添加一条消息,这很好,但我现在需要退后一步,只让用户完全控制应该从哪里接收消息 - 那么网络服务器的用户名是什么也是为了安全,我需要对消息进行身份验证,所以回到我之前的问题之一.
编辑 6:
仍在为此苦苦挣扎,但更进一步......
在域控制器(证书颁发机构和接收 MSMQ 所在的位置)上,配置了证书自动注册,我在 Web 服务器(发送消息)上运行以下命令 - 运行 - gpupdate/force 并重新启动每个 Web 服务器.
我确保在所有 Web 服务器上都检查了身份验证并在消息队列属性中选择了正文.我还更新了所有 Web 服务器上的证书以确保它们是最新的 我现在收到以下错误:
无效的队列路径名.
我查看了以下链接:
编辑 7:
好的,为了让它起作用,似乎在 Web 服务器上没有识别 Web 应用程序用户,所以我转到 IIS > 应用程序池 > 高级设置 > 身份并将身份设置为网络服务.完成此操作后,我在运行应用程序时不再收到错误消息,但该消息似乎不在我期望的公共队列中,因此我现在将再次查看 end2end 以查看是否可以找到它去了哪里.
修复
将 IIS 设置为网络服务后,我再次检查了正在发送的消息是否已通过身份验证,并且接收消息的域控制器是否已通过身份验证检查.我为我的公共队列中的每个人提供了完全访问权限,并且成功了!
说实话,一路上有很多尝试和错误,但希望这篇文章能帮助其他人——感谢约翰 B,我读到的关于这个主题的大部分内容都是他以一种或另一种形式发布的!
'用户的内部消息队列证书不存在.'
以交互方式登录到将发送消息的每个服务器.
使用运行发送应用程序的用户帐户.
这将为该帐户创建证书,每台机器一个.
This is driving me abit nuts so if anyone could hepl i'd be very grateful!!
I am trying to send a message to a public queue from a server within the domain to the domain controller but i get the error:
'A workgroup installation computer does not support the operation.'
I have set up the MSMQ on the Domain COntroller and created a message queue in the Public Queues folder.
I know a similar question has been asked before:
Why does MSMQ think I'm on a workgroup computer?
but i have tried all of the things that were suggested but i still get the same error.
So to take you through what i have tried from suggestions:
a) AD integration was not selected as a setup option - when msmq installed this was selected
b) AD integration was selected but failed to initialise; check event logs - i have checked my event logs and i have the message - Selectable update MSMQ-ADIntegration of package MSMQ Server package was successfully turned on.
c) Check for orphaned object in the Active directory - I have checked the LostAndFound Directory in Active Directory Users and Computers to check no orphaned objects in AD
and i have followed these instructions: http://technet.microsoft.com/en-us/library/cc730960.aspx
I have also uninstalled restarted and reinstalled and checked again that i don t have any orphaned objects.
Also would all the servers which send the message need msmq installed? at the moment i only have it on the domain controller which i thought would be enough.
Edit 1: I have added msmq to all the servers which send messages (they are load balanced so it canbe any of them) they had msmq installed already but without Public Queues so i unistalled resrted and installed again (checking all the appropriate boxes when selecting msmq -Directory service integration/routing service etc.. and they now have Public Queues I am now getting a new error as follows:
'User's internal Message Queuing certificate does not exist.'
Edit 2:
I am still working on this but have made some progress - When i checked my domain controller for the Certificate Authority it was there but when I looked at IIS it was missing the Virtual Directory CertServ - please see link for explanation:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms755466%28v=vs.85%29.aspx
Once i have sorted this problem out i will request a computer certificate for each of my servers as below:
http://technet.microsoft.com/en-us/library/cc740173%28v=ws.10%29.aspx
Hopefully this will work!
EDIT 3: ok so for reasons of rubbish internet i m not able to request a certificate but hopefully that will be rectified in the next coupke of days. So i tried self certifying which didn t make a difference and took off UseAuthentication = true, UseEncryption = true and unchecked the authenticated box in and set encryption to optional. I no longer get an error message which leads me to believe there is something wrong with Authentication (to do with Active Directory) However even though it hasn't failed in the sense that no error message has displayed and the page i expect to be shown on my site is shown. There is no message in my Domain Controller Public queue messages...
I have done this locally where it works it seems to be when i try to do it within a domain that is causing problems.
Edit 4:
Just tolet you know my progress on this - I wanted to make sure that the message was being sent to the Domain controller so i had a look at MSMQ End2End monitoring - So on each of the web servers (the message is sent from) and the Domain controller (the message is sent to) in the Event Viewer>Application and Services Logs > Microsift> Windows >MSMQ >End2End I enabled logging.
When i tried sending a message again on the web server 2 End2End events were logged:
Message with ID CN=msmq,CN=ETAILWEB03,CN=Computers,DC=Etail,DC=local7 was sent to queue PUBLIC=d7ee680c-11ec-4d9a-aa31-528dcc9b1eba
Message sent over network
And on the Domain Controller in the End2End events:
- Message came over network
So from this it seems the message has arrived so i am now looking to see where the message has got lost:
https://groups.google.com/forum/?fromgroups=#!topic/microsoft.public.msmq.networking/88FYCvO2YwQ
Edit 5:
Ok so following:
MSMQ messages received but not delivered Windows 2008 R2
I added a Anonymous user and was able to add a message to the queue, which is great but i need to step backwards now and only give full control to users that messages should be received from - so what the username of the webservers are and also for security i need the messages to be Authenticated so going back to one of my earlier issues.
Edit 6:
Still struggling with this but got a bit further...
On the Domain COntroller (where the certificate authority and receiving MSMQ is) the certificate auto-enrol is configured and i run the following on the web servers (which send the messages) - run - gpupdate /force and Restarted each web server.
I made sure that on all the web servers Authenticate was checked and Body was selected in the message queue properties. I also renewed the certificates on all the web servers to make sure they up to date I am now getting the following error:
Invalid queue path name.
I have looked at the following link:
Edit 7:
ok so to try to get this to work it seemed that where the web application user was not being recognised so on the web servers i went to IIS > Application Pools > Advanced Settings > Identity and set the identity to Network Service. Once this was done I no longer get a error message when i run my application but the message does not seem to be in the public queue where i would expect it to be so I will now look at end2end again to see if i can find out where it has gone.
Fix
Once the IIS was set to Network Service i double checked that the message that was being sent was authenticated and the Domain controller that was receiving the message had authenticated checked. I gave full access to everyone on my public queue and it worked!
To be honest there was a lot of trial and error along the way but hopefully this post will help others - thanks to john B most of the stuff i ve read on this subject was posted by him in one form or another!
'User's internal Message Queuing certificate does not exist.'
Interactively log on to each server that will be sending messages.
Use the user account that the sending apps are running under.
This will create the certificate, one per machine, for that account.
这篇关于MSMQ 创建错误:工作组安装计算机不支持该操作/用户的内部消息队列证书不存在的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
