OPC DA Server DCOM Settings
To manage user access to an OPC DA Server, it is recommended that you create a Windows user group with appropriate DCOM settings on the host server rather than dealing with Windows user identities individually. You can then just add users to this group as required. In the case of Windows 2003 and Windows 7, you can make use of the built-in system group "Distributed COM users". Otherwise, see the Windows documentation for information on how to create a user group.
Once the required user group has been created, you need to configure the following:
To configure the machine-wide user group DCOM settings
- Launch the Windows Component Services manager. To do this, go to Control Panel, open Administrative Tools and then Component Services.
- Expand the Component Services folder, and the Computers folder.
- Right click on the My Computer folder, and select Properties.
- Go to the COM Security tab.
- In the Access Permissions section , click on the Edit Limits button. Make the following adjustments:
- add the OPC DA Server users group you have created
- allow both Local Access and Remote Access for the users group
- click OK
In the Access Permissions section, now click on the Edit Default... button. Make the following adjustments:
- add the OPC DA Server users group you have created
- allow both Local Access and Remote Access for the users group
- click OK
- In the Launch and Activation Permissions section, click on the Edit Limits button. Make the following adjustments:
- add the OPC DA Server users group you have created
- allowLocal Launch, Remote Launch, Local Activation and Remote Activation for the users group
- click OK
- You can now exit the Properties dialog.
To configure the OPC DA Server specific settings
- Launch the Windows Component Services manager. To do this, go to Control Panel, open Administrative Tools and then Component Services.
- Expand the Component Services folder, the Computers folder, the My Computer folder, and the DCOM Config folder.
- Locate the "Schneider Electric SCADA OPC DA Server" component and select Properties.
- Go to the Security tab.
- In the Launch and Activation Permissions section, select Customize and click on the Edit button. Make the following adjustments:
- add the OPC DA Server users group you have created
- allow Local Launch, Remote Launch, Local Activation and Remote Activation for the users group
- click OK
- Go to the Identity tab. This is where you define which user accounts can run the OPC DA Server. The setting you choose will have the following implications:
- The interactive user is the default option. This means the OPC DA Server will run using the security context of the Windows user currently logged in to the local computer. If there is no active Windows user logged in, or if the current user identity doesn't have the launching and activation permissions for the OPC DA Server, a connection will be unsuccessful.
- The launching user - a connection will not be successful on Windows XP or 2003 if there is already an instance of the Runtime Manager running under the active Windows session. Similarly, launching the Runtime Manager using a local Windows login will be unsuccessful if an instance of the Runtime Manager has already been launched by a DCOM connection.
This scenario will work on Windows Vista and Windows 7. In this case, a local active Windows login is not required. However, each login session invisibly spawns multiple instances of the Runtime Manager, the OPC DA Server and the client if multiple users connect at the same time. This setting is considered a resource consuming option.
- This user allows you to identify a specific user. A connection will not be successful if there is already an instance of the Runtime Manager running under the active Windows session. Similarly, launching the Runtime Manager using a local Windows login will be unsuccessful if an instance of the Runtime Manager has already been launched by a DCOM connection. However, this option does avoid the situation where multiple instances of the Runtime Manager and the OPC DA Server are launched.
- Once you have selected an option, you can exit the Properties dialog.
To configure the connectivity environment settings
The way you configure a server's connectivity settings depends on whether it is on a domain or part of a workgroup. The following points describe how you should set up different client/server combinations.
- If the server is on a domain and the client is on a domain:
On the server computer, add the domain login identity that the client uses to the OPC DCOM users group you have created.
- If the server is on a domain and the client is part of a workgroup:
Create a matching Windows login identity on the server with the same password as the Windows login identity on the client machine. Add this Windows login identity to the OPC DCOM users group you have created.
- If the server is part of a workgroup and the client is on a domain:
Create a matching Windows login identity on the server with the same password as the domain login identity on the client machine. Add this Windows logon identity to the OPC DCOM users group you have created.
- If the server is part of the same workgroup as the client:
Create a matching Windows login identity on the server with the same password as the Windows login identity on the client machine. Add this Windows login identity to the OPC DCOM users group you have created.
Note: The registry entry for OPC Client application needs to be configured to accept callbacks. An indication that this is not being done as required, is that all synchronous OPC DA APIs work as expected but data updates and other asynchronous operation never complete.
See Also
Published June 2018