Set Up DCOM for Remote OPC Servers

The OPC Client supports DCOM (Distributed Component Object Model) to browse remote OPC Servers. If you want to grant only certain users permission to launch or access the remote OPC servers, you can use the Windows utility, DCOMCNFG.EXE for configuring DCOM applications. DCOMCNFG.EXE is usually located in your operating system’s \system32 folder.

When OPC Servers register, they set up initial custom DCOM security settings to enable users on the network to access and launch the Server. On large networks, it is recommended that you modify these settings to avoid confusion and inadvertent changes to a running OPC Server.

If Firewall security is enabled on Windows, you must also modify or add items to the Exceptions list. Refer to Set Up Windows XP or Vista Firewall for Remote OPC Servers.

IMPORTANT NOTES:

  • GE recommends that all OPC Client users be members of the Administrators group. To facilitate this, GE recommends creating a users group to contain individual users that need to access remote OPC servers.

For example, create a group named “DAC” and add those users who will log into the operating systems and access remote OPC servers. Add the users Tom, Denise, and Harry into the DAC group. Each of these users will also be added into the Administrators group. This DAC group should also contain the following built-in security principals: INTERACTIVE; NETWORK; SYSTEM.

  • To make any OPC Client / OPC Server application work via DCOM, changes need to be made on both sides, especially if you intend to use Asynchronous I/O communications.
  • OPCENUM must reside on the remote machine with the OPC server. While most OPC Server applications install and register this file, some do not. You can download this file from www.opcfoundation.org. Currently it is contained within the OPC Core Components 2.00 Redistributable 2.30.msi file.  After you download OPCENUM, run the .msi file.
  • This section applies to OPC servers that need to use DCOM communications, regardless of whether the OPC server uses Serial or Ethernet devices.
  • If OPC communications is confined to a single machine (that is, using COM, but not DCOM), it continues to work properly without making changes to DCOM settings.
  • If you do not plan to use the OPC Client to connect remotely to OPC servers, then you may not need to change your DCOM settings.
  • If this is the first time you are connecting to (or allowing connections from) other machines on the network, you must run the Windows Network Wizard (from Start > Control Panel) to set up your computer to run on your network. This allows you to share resources on your computer with other computers on your network. It is recommended that you run the Network Setup Wizard before modifying the DCOM settings.

DCOM Settings

The following procedures provide general guidelines for configuring DCOM settings.

To launch the DCOM configurator:

  1. From the Start menu, select or type Run. The Run dialog box appears.
  2. Type: dcomcnfg and click OK.

The Component Services dialog box appears.

System-wide COM/DCOM Limits Settings

This procedure modifies the system-wide DCOM settings for the computer. When these steps are implemented, they apply to all programs that use COM/DCOM communications on the computer.

IMPORTANT: Be careful when making any system-wide security changes. Any inadvertent changes may affect the entire system and may cause some or all programs to stop working.

To update system-wide COM/DCOM limits settings:

  1. On the Component Services dialog box, expand Component Services, then expand the Computers item.
  2. Right-click My Computer and choose Properties. The My Computer Properties dialog box appears.
  3. Click the COM Security tab. There are four permissions on this dialog box.

You may need to make changes to the Edit Limits… for Access Permissions and Launch and Activation Permissions.

Do not change the Edit Default… settings, since this will change the default settings for all programs and applications running on the computer.

  1. Click Access Permissions > Edit Limits… The Access Permission dialog box appears.
  1. Select the user labeled ANONYMOUS LOGON, and then select the Allow check box for Remote Access.

NOTE: This setting is necessary for applications that use OPCenum.exe to function and also for some OPC Servers and OPC Clients that set their DCOM ‘Authentication Level’ to ’None’ to allow anonymous connections. If you do not use such applications, you may not need to enable remote access for anonymous logon users.

    1. Select the user labeled Everyone, and then select the Allow check box for Remote Access.

IMPORTANT: Since “Everyone” includes all authenticated users, it is recommended to add these permissions to a smaller subset of users. One way of doing this is to create a Group named “DAC” and add all user accounts to this Group that will access any OPC server. Then substitute “DAC” everywhere that “Everyone” appears in the entire DCOM configuration dialogs.

    1. Click OK to close the Access Permissions dialog box and return to the My Computer Properties dialog box.
  1. Click Launch and Activation Permissions > Edit Limits… The Launch Permission dialog box appears.

For each user or group (preferably add the “DAC” group) that needs to launch or activate the OPC server, or participates in OPC / DCOM communications, make sure that the Local Launch, Remote Launch, Local Activation, and Remote Activation check boxes are selected.

  1. Click OK to save your changes, then click OK again to save and close the My Computer Properties dialog box.

OPC Server-specific DCOM Settings

The following procedures detail the OPC server-specific COM/DCOM settings on all supported Windows operating systems. You must change the OPC server settings so remote users can access the OPC server as an OPC Data Access Server. This procedure is also necessary for the GE OPC Client driver to connect to, launch, configure, and start the remote OPC servers.

GE recommends that all OPC Client users be members of the Administrators group.

IMPORTANT: Since the “Everyone” group includes all authenticated users, it is recommended to add these permissions to a smaller subset of users.

GE recommends creating a group to contain individual users that need to access remote OPC servers. GE also recommends that all OPC Client users be members of the Administrators group.

For example, create a group named “DAC” and add those users who will log into the operating systems and access remote OPC servers. Add the users Tom, Denise, and Harry into the DAC group. Each of these users will also be added into the Administrators group. This DAC group should also contain the following built-in security principals: INTERACTIVE; NETWORK; SYSTEM. Then substitute “DAC” everywhere that “Everyone” appears in the entire DCOM configuration dialogs.

To modify driver-specific DCOM settings:

  1. Access the DCOM configurator (dcomcnfg.exe). The Component Services dialog box appears.
  2. Expand the Component Services item, then expand the Computers item, and then expand the My Computer item.
  3. Select the DCOM Config object. A list of applications displays.
  4. Right-click the OPC server you want to modify and choose Properties. The <Selected OPC Server> Properties dialog box appears.
  5. Click the General tab. The Authentication Level should be left as “Default”. This uses the default authentication rules that are set in the system-wide DCOM settings.
  6. Click the Location tab and make sure that the Run Application on this computer check box is selected.
  7. Click the Security tab and select the Customize option for each of the permissions in this dialog box and edit them as described in the following steps.
  8. In the Launch Permissions area, click Edit. The Launch Permissions dialog box appears.
  9. Click the Add button. The Select Users and Groups dialog box appears.
  10. Click the Advanced Button. The Select Users and Groups dialog box appears.
  11. Click the Find Now button. In the search results, select the DAC group and click OK. The Select Users and Groups dialog box displays the DAC group.  
  12. Click OK to return to the Launch Permission dialog box. The DAC group is displayed in the Group or user names list.
  13. Select the DAC group and select the Allow check box for Launch Permission.
  14. Click OK to return to the <Selected OPC Server> Properties dialog box.
  15. In the Access Permissions area, click Edit. The Access Permission dialog box appears.
  16. Click the Add button. The Select Users and Groups dialog box appears.
  17. Click the Advanced Button. The Select Users and Groups dialog box appears.
  18. Click the Find Now button. In the search results, select the DAC group and click OK.  The Select Users and Groups dialog box displays the DAC group.  
  19. Click OK to return to the Access Permission dialog box. The DAC group is displayed in the Group or user names list.  
  20. Select the DAC group and select the Allow check box for Access Permission.
  21. Click OK to return to the <Selected OPC Server> Properties dialog box.
  22. In the Configuration Permissions area, click Edit. The Change Configuration Permission dialog box appears.
  23. Click the Add button. The Select Users and Groups dialog box appears.
  24. Click the Advanced Button. The Select Users and Groups dialog box appears.
  25. Click the Find Now button. In the search results, select the DAC group and click OK. The Select Users and Groups dialog box displays the DAC group.
  26. Click OK to return to the Change Configuration Permission dialog box.
  27. Select the DAC group and select the Allow check boxes for Full Control and Read,
  28. Click OK to return to the <Selected OPC Server> Properties dialog box.
  29. Click OK.
  30. Repeat steps 2 through 29 for each OPC server you need to access remotely.
  31. When you are done, close the Component Services dialog box.

 

See Also