Important Concepts and Examples Regarding Workgroups and Windows Domains
When configuring an OPC client and server to run on separate PCs, it is very important
that you know whether the computers are running in a workgroup or in a domain. If you don't know how your PC's are setup, you will need to
ask someone with Administrative rights and experience to look and see for you.
After reading this you should have a clear understanding of the
user account requirements
for your usage scenario. Setting up those user accounts is a function of your Windows administration and you or your system administrator will need to setup the user accounts.
If you will be using BOTH the OPC Client PC and the OPC Server PC in the SAME WORKGROUP,
you will need to have the same user account setup on BOTH PCs with the same password.
Ideally you'd run the OPC Server and the OPC Client using the same user account, but
if you cannot do that, then you'll have to make sure both accounts are on each PC.
OPC Client runs as local account "OPCClientUser" on Computer #1
OPC Server runs as local account "OPCServerUser" on Computer #2
The accounts "OPCClientUser" and "OPCServerUser" will have to exist on
computers as local accounts. Account "OPCClientUser" must have the same password on both PCs. Account "OPCServerUser" must have the same password on both PCs. The passwords for the two accounts "OPCServerUser" and "OPCClientUser" do not have to match.
Ideally if you are using computers that are in a Windows Domain, both computers will be in
the same domain. If they are not in the same domain, you must setup a "trust relationship" between the two domains, which is outside the scope
of this documentation.
If you are using domains, it is recommended that you use domain user accounts
instead of local user accounts to run the OPC Server and the OPC Client. Some people don't realize that if they log into their PC as "JoeSmith" that is different from "MyDomain\JoeSmith". When logging into the PC or choosing user accounts in DCOM setup, be VERY CLEAR whether you are picking a domain account or local user account. If you do choose to use local user accounts, you have to be consistent and do that everywhere in all your DCOM settings.
The big difference in domains is that the Domain Controller will determine whether a user
account name + password combination are valid or not. For that reason when using domain user accounts you will not
go set user names and passwords on each PC in the domain. You will setup the accounts ONE TIME on the Domain Controller and then reference those domain accounts in your DCOM setup.
Workgroup to Domain Connections
Connecting workgroups to domains either client to server or server to client can be much
more difficult to accomplish. For that reason we strongly recommend you do not try to do this unless your network and IT security setup constrains you.
The big thing to realize when trying to make workgroups interoperate with domains is that
the workgroup has no way to authenticate a domain user account!
So to make workgroups and domains interoperate, you basically have to "fall
back" to the workgroup to workgroup scenario and setup local user accounts on each PC. A couple of examples will help to illustrate this:
Example: OPC Client in Workgroup, OPC Server in Domain
Where this can get hard is if your OPC Server is setup to run as the interactive user, and
the person logged in on the OPC server computer is using a domain account, and your OPC Client is in a workgroup, then the OPC Server will be running as a
domain account user.
When subscription callbacks for data reads from the OPC server come back to the OPC
client, the OPC Client PC will see the domain user account and say "I don't know you" and you won't get data.
The symptom of this will be that you can connect to the OPC Server, browse it, configure
tags, but fail to get any data back from the OPC Server when it subscribes to tags.
The solution in this case would be to setup the OPC Server to run as a specific named
local user on it's PC, instead of as the "interactive" user that is logged into the desktop which is a domain account. That specific
named local user, if setup on the OPC Server PC in it's workgroup with the same password, would then be able to access the PC where the OPC Client is
Summary of requirements for this example to work:
- OPC Server must run as a local user account and that local user account must exist on the client
and server PCs with the same username and password. This can be the same or a different local user account from the one used by the OPC Client.
- The OPC Client must run as a local user account on the client PC and that same local user account
must exist on the OPC Server PC with the same username and password
- Example: The OPC Client in Domain, OPC Server in Workgroup
The same concept applies if your OPC client is in a domain and the OPC Server is in a
workgroup. The failure mode here though if you run the OPC Client under a domain account, is that the OPC Client won't connect to your OPC server PC,
won't browse for servers, so you won't even be able to configure.
The requirements for this example to work are identical to the prior Workgroup/Domain
Back > DCOM Tutorial Home