DCOM Configuration. Dcomcnfg.
OPC and DCOM Configuration on Windows 2008 and Windows 7
4. Specifying DCOM properties
For OPC servers to run correctly, you should specify the DCOM network and security properties.
There is no need to configure OpcEnum because this service is automatically configured when you install "OPC Core Components".
This example shows how to specify the properties for the test OPC server "Test OPC Server". You can specify the DCOM properties using the "dcomcnfg" service command.
To run "dcomcnfg" from the command line, open the Run dialog box by pressing Win+R on the keyboard.
Fig. 20 Running the components service
4.1 Specifying the default properties
Fig. 21 Properties
Fig. 22 COM security
Click button 1 (fig. 22). In the new dialog box (fig.23):
- Click the "Add" button;
- Add the "DCOM users" group by completing operations similar to those shown in figures 7 - 9;
- Set access permissions for it;
- Click the "OK" button to save the changes.
Fig. 23 Configuring access permissions
Repeat the actions in the "Launch and Activation Permission" dialog box (fig.24) that appears when you click "Edit Default..." button 2 (fig.22).
Fig. 24 Configuring launch permissions
Delete all protocols except for TCP/IP on the "Default Protocols" tab (fig.25) and click "OK" to save the changes in the "My Computer Properties" dialog box.
Fig. 25 Configuring launch permissions
4.2 Specifying OPC server properties
Fig. 26 Specifying DCOM properties for the OPC server
Since all properties have been already specified for the entire computer, you should make sure that the OPC server uses the default properties.
Fig. 27 General OPC server properties
Fig. 28 Security properties
Fig. 29 Endpoints
Fig. 30 Identity
You should specify the previously created user that will launch the OPC server on the "Identity" tab.
Note 1. Before you edit the properties of the OPC server, you should make sure that it is not running and is absent in the list of active processes. Or restart the OPC server after you edit its properties.
Note 2. It is necessary for some OPC servers to be launched with administrator permissions at least once in order to get registered in the system and initialize the parameters of the OPC server. They will be available for detection via OpcEnum and connection only after such initialization.
4.3 Configuring "Everyone" access to OPC servers
Attention! Access permission for everyone may lower the security level of the computer.
Sometimes it may be necessary to permit access to the OPC server for everyone, including anonymous users. For example, when the computer with the server does not belong to the domain while a lot of clients will be connecting to the server.
- It is possible for the computer with the server not to belong to the domain;
- No need to create users on the computer with the OPC server;
- Users can run the OPC client using their own account.
- Lower security because of the remote access to DCOM for everyone.
If you want to provide access to the OPC server for everyone, you should configure individual access permissions for the selected OPC server.
Open the DCOM properties for the OPC server as shown in section 4.2 and edit them according to fig.31 - fig.34. The other properties must correspond to the ones specified in section 4.2.
Fig. 31 General properties
Fig. 32 Security properties
Fig. 33 Launch and activation permissions
Fig. 34 Access permissions
You should configure the local security policy. To do it, you should open the "Local Security Policy" console.
To open the "Local Security Policy" console run it from the command line with the "secpol.msc" command.
Windows 2008 Server: You can open the console by selecting "Start" - "Administrative Tools" - "Local Security Policy".
Windows 7: You can open the console by selecting "Start" - "Control panel" - "System and Security" - "Administrative Tools" - "Local Security Policy" (fig. 34.1).
Fig. 34.1 Windows 7. Administrative tools
You should navigate to the "Local Policies: Security Options" section. And set the status of the "Let Everyone permissions apply to ..." policy to "Enabled" (fig. 35).
Fig. 35 Security policy properties
If you change the security policy (as shown in fig. 35) and OPC clients cannot get the list of OPC servers and connect to them, you should specify and save advanced security policy properties (fig. 36-37).
Fig. 36 DCOM: access restrictions
Fig. 37 DCOM: launch restrictions
You can find the detailed description of how to add a group or user in section 2.2.