Event ID - 2196

Event Id	2196
Source	MSMQ
Description	Message Queuing failed to verify digital signature of a message sent to queue %1. The message was rejected. A negative arrival acknowledgement will be sent if requested by the sender. This event is logged at most once per %2 seconds. To change this setting, set \HKLM\Software\Microsoft\MSMQ\Parameters\Event2196 registry value to desired time in seconds.
Event Information	According to Microsoft : Cause : This event is logged when Message Queuing failed to verify digital signature of a message sent to queue. Resolution : Confirm that the Message Queuing application is using a strong hash function and that it has a valid user certificate The message's signature could not be verified. This may indicate the following issues: Weak hash function issues Bad user certificate Corruption of the message in transit Resolve weak hash function issues By default, Message Queuing 4.0 does not support certain weaker security algorithms that were available in earlier versions of Message Queuing. Support for the weaker security algorithms can be enabled with a registry entry. Message Queuing has historically offered four hashing algorithms with which to sign a message: MD2, MD4, MD5, and SHA1. In previous versions of Message Queuing, MD5 was the default for most message and SHA1 was used for Hypertext Transfer Protocol (HTTP) and multicast messaging, which were introduced in Message Queuing 3.0. SHA1 is now the default for all types of messages, because MD2, MD4, and MD5 have been deprecated as weak. Also, by default, Message Queuing 4.0 will neither accept messages that are signed with these weak algorithms nor generate them. You can enable weaker algorithms on Message Queuing 4.0 to support any Message Queuing applications that require them by adding the registry key (not value) HKLM\SOFTWARE\Microsoft\MSMQ\Parameters\Security\WeakHashAlgorithms . If this registry key is not present, as is the case by default, all weaker algorithms are disabled. If this registry key is present, all weaker algorithms are enabled. To enable only certain weak algorithms, you must add the registry key and then specify the values of those weaker algorithms that you want to continue to disable. Caution : Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data. To perform the following procedures, you must have membership in Administrators , or you must have been delegated the appropriate authority. To continue to disable certain weaker authentication algorithms: Open Registry Editor. To open Registry Editor, click Start . In the search box, type regedit , and then press ENTER. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters\Security . On the Edit menu, point to New , and then click Key . Type WeakHashAlgorithms as the name of the new registry key, and then press ENTER. Right-click WeakHashAlgorithms , point to New , click DWORD (32-bit) Value , and then type any name for the new value. Double-click the new DWORD (32-bit) value , click Decimal , and then in Value data type the appropriate value for the algorithm that you want to disable: 32769 for MD2 32770 for MD4 32771 for MD5 32773 for MAC Click OK to close the Edit DWORD (32-bit) Value dialog box. Create new DWORD (32-bit) values for additional algorithms that you also want to disable. On the File menu, click Exit to close Registry Editor. If your Message Queuing application is running on Windows Vista and it chooses a weaker authentication algorithm, Message Queuing will override the choice and use SHA1 instead, by default. If you need to generate messages on Message Queuing 4.0 with one of the weak algorithms, there is a registry key that will turn off the upgrading and make Message Queuing 4.0 honor the algorithm requested by your code. Create a DWORD registry value named WeakHashAlgUpgrade under the key HKLM\SOFTWARE\Microsoft\MSMQ\Parameters\security and set it to 0 , and then restart the MSMQ Service. For more information, see the following resources: PROPID_M_HASH_ALG Authentication for Message Queuing Fix an issue with a bad user certificate To fix an issue with a bad user certificate: On any computer in the domain, click Start . In the search box, type compmgmt.msc , and then press ENTER. Enter administrator credentials, if you are prompted, and then continue through the User Access Control messages. Navigate to the Message Queuing console tree. Click Services and Applications , and then click Message Queuing . Right-click Message Queuing , and then click Properties . Click the User Certificate tab. Click View . Check to see whether the computer sending the unauthenticated messages is in the Personal Certificates list. If the computer is not in the list, a certificate was not registered. You can fix this by performing steps 1 through 7 on the computers on which the certificate was not registered. Then, for step 6, click Register instead of View . Fix a corrupted message If you think the message was corrupted in transit, there is probably an issue with a level below Message Queuing. If you continue to get this error, note any details in the event message, and then contact Microsoft Customer Service and Support (CSS). Verify : Verify that the MSMQ Service is installed and running. To perform this procedure, you must have membership in Administrators , or you must have been delegated the appropriate authority. To verify that the MSMQ Service is installed and running: Open the Services snap-in. To open Services, click Start . In the search box, type services.msc , and then press ENTER. Locate the Message Queuing service, and then confirm that the value in the Status column is Started .
Reference Links	Event ID 2196 from MSMQ

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught