|
Exele OPC Products:
TopView for OPC: Process
Alarming, Notification, and Remote Monitoring
OPCcalc: Calculation Engine
for OPC
If you cannot connect to your running OPC Server or
have problems reading or writing tag values, you may need to adjust the DCOM
settings on your computer (the OPC Client)
or the OPC Server Computer. If you have questions or
cannot resolve the connection issues with the information below, please
contact us.
-
We cannot
guarantee that the information below will fix your connection
issues. We are providing this information based on our experience of
"what works" when diagnosing and fixing OPC connection problems.
-
The
information below is copyrighted by Exele Information Systems, Inc.
and may only be reproduced with permission from Exele. You may print
the information for your own use.
-
For more assistance: the OPC Training Institute offers a 5-part
tutorial on OPC & DCOM.
You can view this tutorial here
Before adjusting DCOM settings, you may want to
turn on DCOM debugging to get specific information on the exact DCOM error that
is occurring. You can also read about DCOM logging in this
Microsoft knowledgebase article.
You can enable error logging by changing the
registry and then restarting the DCOM process (the Exele OPC Client) that you
want to examine. The DCOM process that you want to examine determines whether
you have to restart the computer.
To turn on DCOM error logging, follow these steps:
1. Click Start, click Run, type regedit, and then click OK.
2. Locate the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole registry subkey.
3. Right-click the Ole value, point to New, and then click DWORD Value.
4. Type ActivationFailureLoggingLevel, and then press ENTER. Double-click
ActivationFailureLoggingLevel, type 1 in the Value data box, and then click OK.
5. Right-click the Ole value, point to New, and then click DWORD Value.
6. Type CallFailureLoggingLevel, and then press ENTER. Double-click
CallFailureLoggingLevel, type 1 in the Value data box, and then click OK.
7. Restart the DCOM program, and then examine the System log and the Application
log for DCOM errors (Event Viewer). The error messages in the Windows
event log contain information that you can use to help resolve the permissions
issue.
You can turn off DCOM error logging by changing the
ActivationFailureLoggingLevel value and the CallFailureLoggingLevel value to
zero.
Background
OPC
Clients (such as Exele's TopView OPC and OPCcalc) and OPC Servers
communicate using DCOM. When the two pieces (the client and server)
are on the same computer, the DCOM permissions are different than if
the two pieces are on separate computers. A typical scenario is that
the OPC client product works fine if it is installed on the OPC
Server computer, but if the client is installed on a separate
computer, the client no longer works properly (cannot browse, cannot
connect).
Server
computer: the computer running the OPC Server
Client computer: the computer running the OPC Client (Exele's
TopView or OPCcalc software)
Users and
Groups
The first
thing you need to know is the "user" that is running the OPC client
application. If you are running the OPC client as the logged on
user, the user is the logged on user account. If you are running the
client as a Windows service, the user is the LogOn account
configured for the Service (the Equation Server for OPCcalc).
The user account for the OPC client will be called "ClientUser"
Authenticated users: Next, you need to know if ClientUser is
a valid user on the server computer. One question you can ask is
"can I log onto the server computer with the same user (ClientUser)
account and password?". If so, the ClientUser can be considered an
authenticated user (which is desirable) on the server computer. If
not, the ClientUser is not an authenticated user on the server
computer. See User Groups below for important information regarding
non-authenticated users.
Different domains: if the Client
computer and Server computer are located on different domains, you
can you can follow the instructions below for "non-authenticated
users" or, preferably, create "authenticated users" across the
domains:
-
Create
a local user account on the OPC Server computer with the
same username/password that the OPC Client application is
running under on the OPC Client computer
-
Create
a local user account on the OPC Client computer with the
same username/password that the OPC Server is running under on
the OPC Server computer
-
Follow
the instructions below for "authenticated users"
User Groups: Each computer
(client or server computer) contains User Groups. The ClientUser
will be a member of one or more User Groups on each computer,
although not necessarily the same groups on both computers. The ClientUser will typically be a member of one of the following
groups, depending on the computer (client or server).
The Group or Groups in which ClientUser is a member will be called
"ClientUserGroup"
-
The
"Everyone" Group: the Everyone group contains the list of
all authenticated users. On the client computer, ClientUser will
typically be a member of Everyone. On the server computer,
ClientUser will be a member of Everyone if ClientUser is an
authenticated user on the server computer (see above). If
ClientUser is not authenticated on the server computer,
ClientUser is not typically a member of the "Everyone" group.
If the ClientUser is authenticated, you can substitue "Everyone"
with a more restrictive group that ClientUser is a member of.
-
The
"ANONYMOUS LOGON" Group: the "ANONYMOUS LOGON" group
contains unauthenticated users. ClientUser is usually not a
member of this group on the client computer. ClientUser is a
member of ANONYMOUS LOGON if they are not authenticated on the
server computer.
Note!!! If ClientUser is not an
authenticated user on the server computer, you must enable the
Guest user account on the server computer!
DCOM Config
DCOM
Config (dcomcnfg) is the tool used to configure DCOM security
settings. You will need to run this tool on both the client and
server computer, although most of the work will be done on the
server computer.
Launching
DCOM Config: Start...Run...dcomcnfg
DCOM:
System-wide Settings and Defaults vs. Server-specific settings
DCOM
provides system-wide settings and defaults as well as
server-specific settings (for the OPC Server)
A specific server (OPC server, opcenum) can use the system-wide
default settings OR configure their own custom settings. A common
mistake is for someone to only change the system-wide default
settings without realizing that their specific server is not using
these settings.
Accessing DCOM system-wide settings and defaults
Console root...Component services...Computer
Right-click "My Computer" and choose "Properties"
Accessing server-specific
DCOM settings
Console root...Component services...Computer...My Computer...DCom
Config
Right-click the Server and choose "Properties"
Configuring DCOM for
OPC Access
Make sure
you have read the information above.
Both computers (Client and
Server)
-
Turn
off any firewalls including the Windows firewall
There are documents that describe the correct settings for the
Windows firewall to allow OPC communication. We suggest that you
turn off the firewalls on both machines, get the connection working,
then configure the firewall.
Here is a document from the OPC Foundation that describes the
correct firewall settings:
http://www.opcfoundation.org/DownloadFile.aspx?CM=3&RI=326&CN=KEY&CI=282&CU=4
-
Set the
following information in the DCOM system-wide settings on
both computers
Default Properties tab
-
Enable
distributed COM on this computer
-
Default Authentication level: Default or Connect
-
Default Impersonation level: Identify
Server computer
-
Set the
following information in the DCOM system-wide settings
COM Security tab
-
Click
[Edit Default] button for both "Access Permissions" and
"Launch and Activate Permissions"
Note that these settings are used if the server-specific DCOM
settings specify "use default" and not "custom"
-
If
ClientUser is an authenticated user on the server computer, make
sure that ClientUser or the Everyone group has full access for
local and remote settings (as shown below)
-
If
ClientUser is not an authenticated user on the server computer,
add "ANONYMOUS LOGON" and "Everyone" with full access for
local and remote settings. If "Everyone" is not granted remote
access for "Launch and Activation Permissions" and ClientUser is
not authenticated on the server computer, you will not be able
to connect to an OPC Server that uses the default permissions.
 
-
OPCEnum:
Exele's OPC products allow you to "Query" a computer for a list of
its OPC Servers. This function is provided through the DCOM server
OPCENUM on the server computer.
-
Access
the server-specific settings for opcenum
-
Verify: Authentication level = none
-
Select
the Identity tab
Here, you will see the user account that will run the OPC server
OPCEnum should be set to run as a service. Therefore, "the
system account" should be selected
-
Select
the Security tab
The top 2 permission sets are "Launch and Activation
Permissions" and "Access Permissions"
-
If
"Use Default" is selected, the system-wide default settings
we previous set (see [Edit Defaults] button above) are used.
Since we allowed access to ClientUser for the system-wide
default settings, no further configuration is necessary.
-
If
"Customize" is selected, the system-wide default permissions
we previously set are not used. Therefore, you need to click
both [Edit] buttons and verify that ClientUser or
ClientUserGroup is granted full local and remote access.
ClientUserGroup.
If ClientUser is an authenticated user on the server
computer, make sure that ClientUser or the Everyone group
has full access for local and remote settings for both
[Edit] button settings (as shown below).
If ClientUser is not an authenticated user on the server
computer, add "ANONYMOUS LOGON" and "Everyone" with full
access for local and remote settings for both [Edit] button
settings.
 
-
OPC
Server settings
We need to make sure that ClientUser can connect to the OPC Server.
The DCOM Server for your OPC Server may use the system-wide default
DCOM settings OR it may override these settings with its own.
The process here is similar to the process just completed for
OPCEnum.
-
Access
the server-specific settings for your OPC Server
-
Verify: Authentication level = Connect or Default
-
Select
the Identity tab
Here, you will see the user account that will run the OPC server
Use "The interactive user" if someone is always logged onto the
server computer
Use "The system account" if the OPC server is running as a
Windows service
Use "This user" if neither applies. Make sure the entered user
has a high level of permissions (Administrator)
You can use "Launching user" to launch as ClientUser, but note
that this setting cal fail the connection if ClientUser is not
authenticated on the server computer.
-
Select
the Security tab and follow the same instructions as for
opcenum above (OPCenum, "Select the Security tab") to set
full local and remote access permissions for ClientUser.
Client Computer:
-
Use the
OPC Client to configure your OPC Server Alias for the server
computer. You should able to Query the OPC Servers on the server
computer.
-
Stop
the OPC Client application
-
Start the
OPC Client application and try to connect to the OPC Server using
the [Tag Search] button in the OPC Client.
Hopefully, you are now a
happy individual!
|
