OPC and DCOM: Five things you need to know — Part 1

OPC technology relies on Microsoft’s COM and DCOM to exchange data between automation hardware and software; however, it can be frustrating for new users to configure DCOM properly. If you have ever been unable to establish an OPC connection or transfer OPC data successfully, the underlying issue is likely DCOM-related.

A simple and effective strategy to establish reliable DCOM communication involves the following steps:

1. Remove Windows security
2. Set up mutual user account recognition
3. Configure system-wide DCOM settings
4. Configure server-specific DCOM settings
5. Restore Windows security.

In addition, this article covers troubleshooting tips to identify common OPC and DCOM problems, their symptoms, causes, and how to solve them. This will help integrators set up reliable and secure OPC connections. Remove Windows security The first step to establish DCOM communication is to disable the Windows firewall, which is turned on by default in Windows XP Service Pack 2 and later. The firewall helps protect computers from unauthorised access (usually from viruses, worms and people with malicious or negligent intent). If the computer resides on a safe network, there is usually little potential for damage as long as the firewall is turned off for a short period of time. Check with the network administrator to ensure it is safe to turn off the firewall temporarily. You will turn the firewall back on once DCOM has been configured. To turn off the Windows firewall, follow the steps below: Click on the Windows Start button, select the Control Panel, and finally click on Windows Firewall. In the General tab, select the ‘Off (not recommended)’ radio button (refer to Figure 1).

Figure 1: Temporarily turn off the Windows firewall to allow remote access to the OPC Server computer.

Set up mutual user account recognition

To enable both computers to properly recognise user accounts, it is necessary to ensure that user accounts are recognised on both the OPC client and server computers. This includes all the user accounts that will require OPC access.

Adding user accounts

Ensure that both computers have access to the same username and password combinations. Usernames and passwords must match on all computers that require OPC access.

Note that a user account must have a username and password. It is not possible to establish communication if a user account does not have a password.

When using Windows workgroups, each computer must have a complete list of all user accounts and passwords.

When using a single Windows domain, user accounts are properly synchronised by the domain controller.

When using multiple Windows domains, you will either have to establish a trust between the domains, or add a local user account to the affected computers. (Refer to Microsoft’s Technet site for information about establishing a domain trust.)

Local users authenticate as themselves

In Windows XP and Windows Vista, there is another setting that you should modify. This is not necessary in Windows 2000 or earlier. Simple File Sharing is always turned on in computers running Windows XP Home Edition. By default, the Simple File Sharing user interface is turned on in computers running Windows XP Professional that are joined to a workgroup. Windows XP Professional computers that are joined to a domain use only the classic file sharing and security interface. Simple File Sharing forces every remote user to authenticate as the guest user account. This will not enable you to establish proper security. There are two ways to turn this option off. Either way will work. I personally prefer the second method because there are more security options that Windows makes available. Method 1: Turning off Simple File Sharing. Double-click ‘My Computer’ on the desktop or the Start menu. On the Tools menu, click ‘Folder Options’. Click the ‘View’ tab, and then clear the ‘Use simple file sharing (Recommended)’ check box to turn off Simple File Sharing (see Figure 2).

Figure 2: Turn off ‘Simple File Sharing’ to enable Windows to authenticate user accounts properly.

Method 2: Set local security policies

1. Click on the Windows Start button, and then select Control Panel, Administrative Tools, and Local Security Policy. If you can’t see Administrative Tools in the Control Panel, simply select Classic View in the Control Panel. As an alternative to all of this, click on the Windows Start button, select the Run menu option and type ‘secpol.msc’.
2. In the tree control, navigate to Security Settings, Local Policies and finally select the Security Options folder (see Figure 3).
3. Find the ‘Network access: Sharing and security model for local accounts’ option and set it to ‘Classic — local users authenticate as themselves’.

Figure 3: Appropriate OPC security requires Windows to enable local users to authenticate as themselves rather than as a Guest.

Configure system-wide DCOM settings

OPC specifications that precede OPC Unified Architecture (OPC UA) depend on Microsoft’s DCOM for the data transportation. Consequently, you must configure DCOM settings properly. It is possible to configure the default system-wide DCOM settings, as well for a specific OPC server. The system-wide changes affect all Windows applications that use DCOM, including OPC application. In addition, since OPC client applications do not have their own DCOM settings, they are affected by changes to the default DCOM configuration. To make the necessary changes, follow the steps below:

Figure 4: Use DCOMCNFG to modify DCOM settings on the computer.

1. Click on the Windows Start button, and select the ‘Run...’ menu option (see Figure 4).
2. In the Run dialog box, type ‘DCOMCNFG’ to initiate the DCOM configuration process, and click the OK button. The Component Services window will appear (see Figure 5).
3. Once in the Component Services window (which is initiated by DCOMCNFG as above), navigate inside the Console Root folder to the Component Services folder, then to the Computers folder. Finally, you will see the My Computer tree control inside the Computers folder.
4. Right click on My Computer. Note that this is not the ‘My Computer’ icon on your desktop; rather it is the ‘My Computer’ tree control in the Console Services application.
5. Select the Properties option.

Figure 5: Right click on the My Computer tree control to access the computer’s default DCOM settings.

Default properties

In the Default Properties tab, ensure that three specific options are set as follows (refer to Figure 6):

1. Check the ‘Enable Distributed COM on this computer’ menu option. Note that you will have to reboot the computer if you make changes to this checkbox.
2. Set the ‘Default Authentication Level’ to Connect. It is possible to use other settings in the list, but the ‘Connect’ option is the minimum level of security that you should consider.
3. Set the ‘Default Impersonation Level’ to Identify.

Figure 6: The Default Properties tab enables users to turn DCOM on or off, as well as set the Authentication and Impersonation configuration.

Figure 7: In the Default Protocols tab, set the DCOM Protocols to ‘Connection-Oriented TCP/IP’.

Default protocols

In the Default Protocols tab (refer to Figure 7), set the DCOM protocols to ‘Connection-oriented TCP/IP’. OPC communication only requires ‘Connection-oriented TCP/IP’, so it is possible to delete the rest of DCOM protocols. However, if these protocols are indeed required for non-OPC applications, you can leave them there. The only consequence is that timeouts may take a little longer to reach.

Figure 7: In the Default Protocols tab, set the DCOM Protocols to ‘Connection-Oriented TCP/IP’.

Figure 8: Use the COM Security tab to set the default Access Control Lists (ACLs).

COM security

Windows uses the COM Security tab (refer to Figure 8) to set the system-wide access control lists (ACLs) for all objects. The ACLs are included for Launch/Activation (ability to start an application) and Access (ability to exchange data with an application). Note that on some systems, the ‘Edit Limits’ buttons are not available.

To add the correct permissions, Refer to Figure 9 and follow the steps below:

1. In the Access Permissions group, click the ‘Edit Default...’ button. Add ‘Everyone’ to the list of Group or user names. Click the OK button.
2. In the Access Permissions group, click the ‘Edit Limits...’ button. Add ‘Anonymous Logon’ (required for OPCEnum) and ‘Everyone’ to the list of ‘Group or user names’. Click the OK button.
3. In the Launch and Activation Permissions group, click the ‘Edit Default...’ button. Add ‘Everyone’ to the list of ‘Group or user names’. Click the OK button.
4. In the Launch and Activation Permissions group, click the ‘Edit Limits...’ button. Add ‘Everyone’ to the list of ‘Group or user names’. Click the OK button.

Figure 9: Add Everyone and Anonymous Logon to the Launch and Access Permissions. Once communication is working properly, remember to return to this setup to ensure you comply with corporate security policies.

In part 2

In this article we have explained the initial system-wide settings that are required for DCOM to operate correctly on a PC that is to run an OPC server. In the next part we will discuss the server-specific settings which will need to be configured for your specific OPC application, and then finally set the Windows security correctly.

*Randy Kondor is a computer engineer, and is the president of the OPC Training Institute, the world’s largest OPC training company. Kondor has been involved with the OPC industry since 1996 and is a strong supporter of the OPC Foundation. He continues to dedicate himself to spreading the OPC Foundation’s message about system interoperability and inter-vendor cooperation.

OPC Training Institute (OPCTI)
www.opcti.com