Setting Up DCOM for Discovery of Remote OPC Servers

The Discover and Auto Configure supports DCOM (Distributed Component Object Model) to browse remote OPC Servers. If you want to grant only certain users permission to launch or access the remote OPC servers, you can use the Windows utility, DCOMCNFG.EXE for configuring DCOM applications. DCOMCNFG.EXE is usually located in your operating system’s \system32 folder.

When OPC Servers register, they set up initial custom DCOM security settings to enable users on the network to access and launch the Server. On large networks, it is recommended that you modify these settings to avoid confusion and inadvertent changes to a running OPC Server.

If Firewall security is enabled, you must also modify or add items to the Exceptions list. Refer to Setting Up the Firewall for Discovery.

IMPORTANT NOTES:

  • It is recommended that all Discover and Auto Configure users be members of the Administrators group. To facilitate this, it is recommended that you create a users group to contain individual users that need to access remote OPC servers.

For example, create a group named “DAC” and add those users who will log into the operating systems and access remote OPC servers. Add the users Tom, Denise, and Harry into the DAC group. Each of these users will also be added into the Administrators group. This DAC group should also contain the following built-in security principals: INTERACTIVE; NETWORK; SYSTEM.

  • To make any OPC Client / OPC Server application work via DCOM, changes need to be made on both sides, especially if you intend to use Asynchronous I/O communications.
  • OPCENUM must reside on the remote machine with the OPC server. While most OPC Server applications install and register this file, some do not. You can download this file from www.opcfoundation.org. Currently it is contained within the OPC Core Components 2.00 Redistributable 2.30.msi file.  After you download OPCENUM, run the .msi file.
  • This section applies to OPC servers that need to use DCOM communications, regardless of whether the OPC server uses Serial or Ethernet devices.
  • If OPC communications is confined to a single machine (that is, using COM, but not DCOM), it continues to work properly without making changes to DCOM settings.
  • If you do not plan to use the Discover and Auto Configure to connect remotely to OPC servers, then you may not need to change your DCOM settings.
  • If this is the first time you are connecting to (or allowing connections from) other machines on the network, you must run the Windows Network Wizard (from Start > Control Panel) to set up your computer to run on your network. This allows you to share resources on your computer with other computers on your network. It is recommended that you run the Network Setup Wizard before modifying the DCOM settings.

DCOM Settings

The following procedures provide general guidelines for configuring DCOM settings.

To launch the DCOM configurator:

  1. From the Start menu, select or type Run. The Run dialog box appears.
  2. Type: dcomcnfg and click OK.

The Component Services dialog box appears.

System-wide COM/DCOM Limits Settings

This procedure modifies the system-wide DCOM settings for the computer on Windows Server 2008 operating systems. When these steps are implemented, they apply to all programs that use COM/DCOM communications on the computer.

IMPORTANT: Be careful when making any system-wide security changes. Any inadvertent changes may affect the entire system and may cause some or all programs to stop working.

To update system-wide COM/DCOM limits settings:

  1. On the Component Services dialog box, expand Component Services, then expand the Computers item.
  2. Right-click My Computer and choose Properties. The My Computer Properties dialog box appears.
  3. Click the COM Security tab. There are four permissions on this dialog box.

You may need to make changes to the Edit Limits… for Access Permissions and Launch and Activation Permissions.

Do not change the Edit Default… settings, since this will change the default settings for all programs and applications running on the computer.

  1. Click Access Permissions > Edit Limits… The Access Permission dialog box appears.
  1. Select the user labeled ANONYMOUS LOGON, and then select the Allow check box for Remote Access.

NOTE: This setting is necessary for applications that use OPCenum.exe to function and also for some OPC Servers and OPC Clients that set their DCOM ‘Authentication Level’ to ’None’ to allow anonymous connections. If you do not use such applications, you may not need to enable remote access for anonymous logon users.

    1. Select the user labeled Everyone, and then select the Allow check box for Remote Access.

IMPORTANT: Since “Everyone” includes all authenticated users, it is recommended to add these permissions to a smaller subset of users. One way of doing this is to create a Group named “DAC” and add all user accounts to this Group that will access any OPC server. Then substitute “DAC” everywhere that “Everyone” appears in the entire DCOM configuration dialogs.

    1. Click OK to close the Access Permissions dialog box and return to the My Computer Properties dialog box.
  1. Click Launch and Activation Permissions > Edit Limits… The Launch Permission dialog box appears.

For each user or group (preferably add the “DAC” group) that needs to launch or activate the OPC server, or participates in OPC / DCOM communications, make sure that the Local Launch, Remote Launch, Local Activation, and Remote Activation check boxes are selected.

  1. Click OK to save your changes, then click OK again to save and close the My Computer Properties dialog box.

OPC Server-specific DCOM Settings

The following procedures detail the OPC server-specific COM/DCOM settings on all supported Windows operating systems. You must change the OPC server settings so remote users can access the OPC server as an OPC Data Access Server. This procedure is also necessary for the GE OPC Client driver to connect to, launch, configure, and start the remote OPC servers.

It is recommended that all Discover and Auto Configure users be members of the Administrators group.

IMPORTANT: Since the “Everyone” group includes all authenticated users, it is recommended to add these permissions to a smaller subset of users.

It is recommended that you create a group to contain individual users that need to access remote OPC servers. It is also recommended that all Discover and Auto Configure users be members of the Administrators group.

For example, create a group named “DAC” and add those users who will log into the operating systems and access remote OPC servers. Add the users Tom, Denise, and Harry into the DAC group. Each of these users will also be added into the Administrators group. This DAC group should also contain the following built-in security principals: INTERACTIVE; NETWORK; SYSTEM. Then substitute “DAC” everywhere that “Everyone” appears in the entire DCOM configuration dialogs.

To modify driver-specific DCOM settings:

  1. Access the DCOM configurator (dcomcnfg.exe). The Component Services dialog box appears.
  2. Expand the Component Services item, then expand the Computers item, and then expand the My Computer item.
  3. Select the DCOM Config object. A list of applications displays.
  4. Right-click the OPC server you want to modify and choose Properties. The <Selected OPC Server> Properties dialog box appears.
  5. Click the General tab. The Authentication Level should be set to “Default,” if it is not already. This uses the default authentication rules that are set in the system-wide DCOM settings.
  6. Click the Location tab and make sure that the "Run Application on this computer" check box is selected.
  7. Click the Security tab and select the Customize option for each of the permissions in this dialog box and edit them as described in the following steps.
  8. In the Launch and Activation Permissions area, click Edit. The Launch and Activation Permission dialog box appears.
  9. Click the Add button. The Select Users or Groups dialog box appears.
  10. Click the Advanced Button. Another Select Users or Groups dialog box appears.
  11. Click the Find Now button. In the search results, select the DAC group and click OK. The Select Users or Groups dialog box displays the DAC group.  
  12. Click OK to return to the Launch Permission dialog box. The DAC group is displayed in the Group or user names list.
  13. Select the DAC group and then select the Allow check boxes for Local Launch, Remote Launch, Local Activation, and Remote Activation permissions.
  14. Click OK to return to the <Selected OPC Server> Properties dialog box.
  15. In the Access Permissions area, click Edit. The Access Permission dialog box appears.
  16. Click the Add button. The Select Users or Groups dialog box appears.
  17. Click the Advanced Button. Another Select Users or Groups dialog box appears.
  18. Click the Find Now button. In the search results, select the DAC group and click OK. The Select Users or Groups dialog box displays the DAC group.  
  19. Click OK to return to the Access Permission dialog box. The DAC group is displayed in the Group or user names list.
  20. Select the DAC group and then select the Allow check boxes for Local Access and Remote Access permissions.
  21. Click OK to return to the <Selected OPC Server> Properties dialog box.
  22. In the Configuration Permissions area, click Edit. The Change Configuration Permission dialog box appears.
  23. Click the Add button. The Select Users or Groups dialog box appears.
  24. Click the Advanced Button. Another Select Users or Groups dialog box appears.
  25. Click the Find Now button. In the search results, select the DAC group and click OK. The Select Users or Groups dialog box displays the DAC group.  
  26. Click OK to return to the Change Configuration Permission dialog box. The DAC group is displayed in the Group or user names list.
  27. Select the DAC group and then select the Allow check boxes for Full Control and Read permissions.
  28. Click OK to return to the <Selected OPC Server> Properties dialog box.
  29. Click OK.
  30. Repeat steps 2 through 29 for each OPC server you need to access remotely.
  31. When you are done, close the Component Services dialog box.

 

See Also