Unable to set MSMQ message queue permissions using MessageQueueInstaller

Question

I'm trying to create a private message queue for use with a Windows service. I'm creating the queue in my service's ProjectInstaller class. In the constructor for said class, I create a MessageQueueInstaller object, and add it to my local Installer.Installers property like so:

var path = _config?.Settings[QUEUE_PATH]?.Value;
if (string.IsNullOrEmpty(path))
{
    Console.WriteLine($"Could not install MSMQ message queue. Cannot install service. Missing private queue path value.");
    throw new ArgumentNullException(QUEUE_PATH, "Cannot create private message queue with null queue path.");
}
_q = new MessageQueueInstaller();
_q.Label = "Queue Name";
_q.Path = path;
_q.Transactional = true;
Installers.Add(_q);

Since I expect credentials to be passed in when the service is installed, and I want the account the service runs under to have full access to the message queue being created, I'm subscribing to the AfterInstall event of my ServiceProcessInstaller in order to grab the username like so:

_serviceProcessInstaller.AfterInstall += (sender, args) =>
{
    _q.Permissions = new AccessControlList()
    {
        new AccessControlEntry(new Trustee(_serviceProcessInstaller.Username, null, TrusteeType.User),
            GenericAccessRights.All, StandardAccessRights.All, AccessControlEntryType.Allow)
    };
};

This process completes successfully, and an ACL entry is added to my private queue's security tab with the expected values, however, when running the service that needs to interact with MSMQ, I receive the following error:

Access to Message Queuing system is denied

Oddly enough, if I manually create the exact same ACL entry from the queue's security tab, everything magically works!

Also, if I create all the ACLs programatically (ending up with the error above), and then set 'Everyone' to Full Control manually, it also works, but setting 'Everyone' to Full Control during the same process where we set the actual account does not work.

Finally, I am running the MSMQ service under 'NT AUTHORITY\\Network Service'. I have also tried adding that account with full control programatically (appears as if all perms are set, but same error still received), and I've also tried running the MSMQ service as Local System to no avail.

I'm honestly not sure what to make of this. As far as I can tell, the permissions are identical regardless of if they were added programatically or manually, but obviously that isn't actually true or this would work.

What in the world am I missing here?

Please let me know if additional context is needed. Thanks!

Answer 1

We are using the following code to create MSMQ queues and setting the permissions. It works all well:

public void CreateQueueIfNotExists(string queueName, List<string> users)
{
    if (!MessageQueue.Exists(queueName))
    {
        MessageQueue.Create(queueName);
        var queue = new MessageQueue(queueName);
        //set permissions for those users
        foreach (var user in users)
        {
            queue.SetPermissions(user, MessageQueueAccessRights.ReceiveMessage | MessageQueueAccessRights.WriteMessage, AccessControlEntryType.Allow);
        }
    }
}