MSMQ: do 2 servers need to be in same domain to be able to access private queues?

As the title says - i have 3 servers:

server-1 [wcf services] server-2 [wcf services] server-3 [esb using rhino.esb]

So - server 1 publishes message to server-3 esb server 2 subscribes to messages from server 1 via server-3 esb

do they all need to be in the same domain or anything?

For security there is no difference between public and private queues - "public" just means published in Active Directory.

Also, you need to differentiate between "different domain" and "different forest". I assume you mean the latter. Two domains in the same forest share the same security database so would not be a problem.

Do not regard Access Control Lists on queues as being a robust form of security. A message can be sent with the SID of any account to get round the queue permissions. Authentication with internel (MSMQ) or external certificates is a much better alternative if security is an issue.

• How to send authenticated MSMQ messages without using a domain account
• Authenticating MSMQ messages between forests
• Cross-forest MSMQ? You need to be trusting
• "How do I send MSMQ messages between domains?"
• Understanding how MSMQ security blocks RPC traffic

Cheers
John Breakwell