|
DCOM Configuration Tutorial
OPC Client Computer Recommended Settings
DCOM Tutorial Home
This section is intended to provide general guidance on proper DCOM Config utility settings for the computer on which your OPC Client application is running. Please note that depending on whose OPC client you are running and how you intend to run your system (user logged in or not, OPC server as a service or not, etc), these settings may vary. Software Toolbox is able to provide extensive assistance with settings for OPC servers that are purchased from us (list of servers) and
limited assistance with OPC servers that are not bought from us, provided that you are using one of our client applications such as the OPC Data ActiveX control.
This part of the tutorial is primarily oriented around the use of our OPC Data ActiveX control as an OPC client, thought the concepts and principles used here can apply to other OPC clients. We expect that you have already done the OPC server computer settings before doing this part.
If you are not already familiar with the DCOM Config utility and how to launch it, please review the DCOM Config Utility Introduction. If you are familiar, please launch the DCOM Config utility on the computer where your target OPC Client Application (this includes our OPC Data
ActiveX demo software if you are using it) is running if you intend to setup your machine with these instructions.
|
Client Side DCOM
Configuration Properties: Default Properties Tab
1. First, the Enable Distributed COM on this computer MUST be checked.
2. The Default Authentication Level should be set to Connect.
3. The Default Impersonation Level should be set to Identity
Note: There are other settings that can work, but there are also combinations that should have been
left out of this Microsoft utility. For example, if you set Authentication to connect and Impersonation to Anonymous, you will not be able to access local OPC servers, much less
remote ones! The only other combination of these two settings we usually see as acceptable is Authentication="None" and Impersonation ="Anonymous" or "Identify" which basically
means to "let anyone have access - don't authenticate any DCOM connections".
|
|
|
 Client Side DCOM Configuration
Properties: Default Security Tab
It is on this tab that you tell the operating system who you will allow to access the OPC
client application from remote OPC servers (Default Access Permissions). Unlike in the OPC server side configuration, the only setting
we are concerned with on the client side is the Default Access Permissions on this tab.
It is important that you understand the concept of NT/2000 users and groups (read tutorial if you do not) to make this part go smoothly. Before you start configuring, you will need to know the following:
- What user name and/or groups that OPC Servers will be running under on the machine(s) where OPC servers you
wish to connect to are located.
- Whether this machine is a member of a domain or not and if so, the name of the domain and associated domain users/groups you will grant access to.
- Whether or not you will be running the OPC server as an unattended NT/2000 service or not. If running as
a service, what user name (system account) or named user, you will be running the service as.
- Note - the OPC clients on remote machines do NOT need to be Administrators on either machine unless
you want that - they can be regular user accounts, so long as you grant them access in DCOM Config
on the OPC server machine to Access and Launch the OPC server, either explicitly through their user name or through a group containing them (i.e. Domain users)
|
|
 Client Side DCOM Configuration Properties:
Default Security Tab - Default Access Permissions Dialog
It is on this dialog that you will set who (i.e. users that remote OPC servers are running
under) will have access to make callbacks to this machine when subscription/exception based reads are being done.
Important: Wrong settings here are the most common reason why we see users able to do
one time reads of remote OPC servers but NOT get data back when they are subscribed to the OPC server and expecting the OPC server to send back data only when it changes. The key
is that the User Name or a Group containing the User Name that the remote OPC server is running under be
granted access here. Failure to grant access to the proper user or group will prevent the OPC client from
receiving the callbacks on subscription/exception reads from the remote OPC server.
To access this dialog, click on the Edit Default under the subheading Default Access Permissions on the Dcom
Config Default security tab.
In the dialog on the right, when you click "Add" you will be presented with a dialog that lets you browse the local
machine and domain (if applicable and logged into a domain) for users and groups to grant permission to.
It is up to you to know what users and groups you wish to grant permissions to. If you want to be very broad in
your access you could add the Domain Group named "Everyone". A bit more specific but still fairly "open" is to add the group "Domain Users".
|
|
Client Side DCOM Configuration Properties: Default Security Tab - Default Launch Permissions Dialog
No changes normally required here.
|
|
Client Side DCOM
Configuration Properties: Default Security Tab - Default Configuration Permissions Dialog
No changes normally required here.
|
|
Client Side DCOM
Configuration Properties: Default Protocols Tab
On this tab you set which of the installed network protocols on your computer to use for DCOM. We
recommend that you use Connection Oriented TCP-IP. You should have the preferred protocol at the TOP of the list in this tab. If you don't want to use any of the other
protocols, remove them from the list. Note this does NOT remove the protocols from your computer, but rather just says "do not use them for DCOM". The fewer the protocols in
the list, the shorter your timeouts will be in DCOM waiting for a call or connect to fail.
|
|
|
Warning: contents of this tutorial are Copyright Software Toolbox, Inc. 2001-2002, and may not be reproduced in electronic or written form
without written permission of Software Toolbox Inc. Anyone found copying copyrighted material from this site for use on another site will
be prosecuted. You are welcome to link to this site from your site. The information in this article is accurate to the best of our professional judgement at the time of writing but is subject to change.
|
