|
OPC Server Computer Recommended Settings - Step 1
OPC Server Settings Home | DCOM Tutorial Home | OPC Server Settings Step 2
This section covers the default DCOM settings for the OPC server computer.
If you are not already familiar with the DCOM Config utility and how to launch it, please review the DCOM Config Utility Introduction. If you are familiar, please launch the DCOM Config utility on the computer where your target OPC Server
is running if you intend to setup your machine with these instructions.
|
DCOM Configuration
Properties: Default Properties Tab
1. First, the Enable Distributed COM on this computer MUST be checked.
2. The Default Authentication Level should be set to Connect.
3. The Default Impersonation Level should be set to Identity
Note: There are other settings that can work, but there are also combinations that should have been
left out of this Microsoft utility. For example, if you set Authentication to connect and Impersonation to Anonymous, you will not be able to access local OPC servers, much less
remote ones! The only other combination of these two settings we usually see as acceptable is Authentication="None" and Impersonation ="Anonymous" or "Identify" which basically
means to "let anyone have access - don't authenticate any DCOM connections".
|
|
|
 DCOM Configuration Properties: Default Security Tab
This tab has the most settings to make. It is on this tab that you tell the operating system who you will allow to access OPC servers on
this machine (Default Access Permissions), who you will allow to launch OPC servers on this machine (Default Launch permissions), and who you will allow to configure OPC servers on
this machine (Default Configuration Permissions. It is important that you understand the concept of NT/2000 users and groups (read tutorial if you do not) to make this part go smoothly. Before you start configuring, you will need to know the following:
- What user name and/or groups that OPC clients will be running under on the remote client machines
- What user name and/or groups that any local (same machine as the OPC server) OPC clients will be running under.
- Whether this machine is a member of a domain or not and if so, the name of the domain and associated domain users/groups you will grant access to.
- Whether or not you will be running the OPC server as an unattended NT/2000 service or not. If running as
a service, what user name (system account) or named user, you will be running the service as.
- Note - the OPC clients on remote machines do NOT need to be Administrators on either machine unless
you want that - they can be regular user accounts, so long as you grant them access in DCOM Config
either explicitly through their user name or through a group containing them (i.e. Domain users)
|
|
 DCOM Configuration Properties: Default
Security Tab - Default Access Permissions Dialog
It is on this dialog that you will set who will have access to OPC servers on this machine, unless
you override the settings for a specific OPC server on the Applications tab in DCOM Config. To access this dialog, click on the Edit Default under the subheading Default Access
Permissions on the Dcom Config Default security tab.
In the dialog on the right, when you click "Add" you will be presented with a dialog that lets you
browse the local machine and domain (if applicable and logged into a domain) for users and groups to grant permission to.
It is up to you to know what users and groups you wish to grant permissions to. If you want to be very broad in
your access you could add the Domain Group named "Everyone". A bit more specific but still fairly "open" is to add the group "Domain Users".
|
|
 DCOM Configuration Properties: Default Security Tab - Default Launch Permissions Dialog
It is here that you define who can actually start your OPC server on this computer. To access this
dialog, click on the Edit Default under the subheading Default Launch Permissions on the Dcom Config Default security tab. Adding of users/groups is done the same way as was done
for Access Permissions.
If you plan to have a local client running on this computer and thus launching the OPC server or
have the OPC server running as a service, you will need to make sure that the username or group containing the user that you intend to have launch the OPC server is included here.
Also, if you plan to NOT have the OPC server running until a remote client requests a connection, at which time
under COM rules, the OPC client will detect this and tell the server to activate, that you MUST have the
username OR a group containing the username that your remote OPC client is running under included here. If
you do NOT have this set right, and a remote client attempts to connect, and the OPC server is not running ,it will not launch because that remote user does not have "Launch Permissions".
Again, the rule of "know thy own users and groups applies." As a general statement, you can include
Adminstrators (local or domain) if you want be very broad. At a minimum you should include the group
INTERACTIVE so that local logged in users can launch the server and if you are running the OPC server as a service you may need the SYSTEM account included as well.
|
|
DCOM Configuration Properties: Default Security Tab - Default Configuration Permissions Dialog
To access this dialog, click on the Edit Default under the subheading Default Configuration Permissions on the Dcom
Config Default security tab
This dialog sets what users can change the DCOM configuration of the OPC servers on the machine.
Nearly all systems we see have this properly setup by default, therefore, we recommend that if you are setting up DCOM the first time that you not change these settings. If you have changed them before, we assume you know what you are doing by changing these settings.
|
|
DCOM Configuration
Properties: Default Protocols Tab
On this tab you set which of the installed network protocols on your computer to use for DCOM. We
recommend that you use Connection Oriented TCP-IP. You should have the preferred protocol at the TOP of the list in this tab. If you don't want to use any of the other
protocols, remove them from the list. Note this does NOT remove the protocols from your computer, but rather just says "do not use them for DCOM". The fewer the protocols in
the list, the shorter your timeouts will be in DCOM waiting for a call or connect to fail.
|
|
|
OPC Server Settings Home | DCOM Tutorial Home | OPC Server Settings Step 2
Warning: contents of this tutorial are Copyright Software Toolbox, Inc. 2001-2002, and may not be reproduced in electronic or written form
without written permission of Software Toolbox Inc. Anyone found copying copyrighted material from this site for use on another site will
be prosecuted. You are welcome to link to this site from your site. The information in this article is accurate to the best of our professional judgement at the time of writing but is subject to change.
|
