Enscada's Windows XP SP2 configuration for use with OPC

You are in: Windows XP SP2 for use with OPC section

Home Products & Services Links Contacts Legal What's new?

Contents

Home Products & Services Links Contacts Legal What's new?

Windows XP SP2 Configuration for OPC Section

How to configure Windows XP SP2 for use with OPC (server side)

1 - On the server host, create a user accout with name and password of user which starts OPC server, and make logon in Windows as this user

2 - Run intall.bat included in the file - distrib_opc.zip

3 - DCOM Configuration

3-1. Click Start -> Run

3-2. Enter DCOMCNFG and press OK. This will open the DCOMCNFG window.

3-3. Browse down the tree to Console Root -> Component Services -> Computers -> My Computer

3-4. Right click on "My Computer" and select properties

3-5. Select the "Default Properties" tab

a. Enable Distributed COM on this computer - Option is checked

b. Default Authentication Level - Set to Connect

c. Default Impersonation Level - Set to Identify

3-6. Select the "COM Security" tab

3-7.1 Click on Access Permissions Edit Default button

a. Add "Anonymous", "Everyone", "Interactive", "Network", "System" with Local and Remote access permissions set.

3-7.2 Click on Access Permissions Edit Limits button

a. Add "Anonymous", "Everyone", "Interactive", "Network", "System" with Local and Remote access permissions set.

3-8.1 Click on Launch and Activation Permissions Edit Default button

a. Add "Anonymous", "Everyone", "Interactive", "Network", "System" with Local and Remote access permissions set.

3-8.2 Click on Launch and Activation Permissions Edit Limitis button

a. Add "Anonymous", "Everyone", "Interactive", "Network", "System" with Local and Remote access permissions set.

3-9. Click on OK

3-10.Browse down the tree to Console Root -> Component Services -> Computers -> My Computer->Config DCOM

3-10.1 - OpcEnum.exe configuration

Right click on OpcEnum Name and select Properties

In Generale tab:

select for "Authentication level" None

In Security tab, set radio button Customize and press Edit, for "Launch and Activation Permissions":

add Anonymous, Everyone, Interactive, Network, System with full rights options set

In Security tab, set radio button Customize and press Edit, for "Access Permissions":

add Anonymous, Everyone, Interactive, Network, System with full rights options set

In Security tab, set radio button Customize and press Edit, for "Configuration Permissions":

add Anonymous, Everyone, Interactive, Network, System with full rights options set

In Identity tab, set radio button This user:

set the user account who makes the Windows logon

In Location tab:

set the check for "Run application on this computer"

3-10.2 - Your OPCServerDA.exe configuration

Right click on Your OPCServerDA Name and select Properties

In General tab:

select for "Authentication Level" None

In Security tab, set radio button Customize and press Edit, for "Launch and Activation Permissions":

add Anonymous, Everyone, Interactive, Network, System with full rights options set

In Security tab, set radio button Customize and press Edit, for "Access permissions":

add Anonymous, Everyone, Interactive, Network, System with full rights options set

In Security tab, set radio button Customize and press Edit, for "Configuration Permissions":

add Anonymous, Everyone, Interactive, Network, System with full rights options set

In Identity Tab, set radio button This user:

set the user account who makes the Windows logon

In Location tab:

set the check for "Run application on this computer"

3-10.3 - YourOPCServerAE.exe configuration

Right click on YourOPCServerAE Name and select Properties

In General tab:

select for "Authentication Level" None

In Security tab, set radio button Customize and press Edit, for "Launch and Activation Permissions":

add Anonymous, Everyone, Interactive, Network, System with full rights options set

In Security tab, set radio button Customize and press Edit, for "Access Permissions":

add Anonymous, Everyone, Interactive, Network, System with full rights options set

In Security tab, set radio button Customize and press Edit, for "Configuration Permissions":

add Anonymous, Everyone, Interactive, Network, System with full rights options set

In Identity Tab, set radio button This user:

set the user account who makes the Windows logon

In Location tab:

set the check for "Run application on this computer"

3-11. Close the DCOMCNFG window

See:- Using OPC via DCOM with XP SP2 v1.10.pdf

4 - Turn off Simple File Sharing:

Simple file sharing is the default for Windows XP SP2 when configured for workgroup operation.

When simple file sharing is enabled:

- The Guest account is enabled

- All network connections, including OPC DCOM connections, are forced to connect as Guest.

- OPC communications will fail because Guest is a restricted account.

To disable Simple File Sharing: Open Windows Explorer, and choose Tools>Folder Options menu.

Click on the View tab and scroll to the bottom until you see "Use simple file sharing (Recommended)." Uncheck this box, then click OK.

Windows XP computers that are members of a domain are not affected. Additional information about

Simple File sharing is available here:

http://www.microsoft.com/technet/security/advisory/906574.mspx

This point fixes DCOM Error 0x80070005

5 - Adjust Local Security Policy settings:

New default policies in Windows XP limit access to secured objects to the creator of the object.

In previous versions of Windows, objects created by members of the administrators group were

accessible to other members of that group. The new policy may cause the OPC interface to fail

when it cannot access a file or secured object.

Start -> Control Panel -> Administrative Tools -> Local Security Policy

Navigate to Security\Local Policies\Security Options

"System Objects: Default owner for objects created by members of the Administrators group."

The Security Setting should be set to "Administrators Group," not "Object Creator."

"Network Access: Sharing and security model for local accounts" The Security Setting should be set

to "Classic - local users authenticate as themselves," not "Guest Only - local users authenticate as guest."

Network Access: Let everyone permissions apply to anonymous users - Set to Enabled

DCOM: Machine Access Restrictions - Add Anonymous, Everyone, Interactive, Network, System with full rights options set.

See: http://support.microsoft.com/kb/318825

6 - NOTE:This procedure is valid for Windows XP SP3 too

7 - It is possible to have an error when accessing Network Properties:

"You do not have sufficient privileges for accessing connection properties"

This can happen if the Default Impersonation Level setting is set to Anonymous

7.1 Click Start–>Run, type dcomcnfg, and click OK

7.2 Expand Component Services, expand Computers and click Properties

7.3 Click the Default Properties tab and in the Default Impersonation Level box, click Identify, and click OK

See also:

error-you-do-not-have-sufficient-privileges-for-accessing-connection-properties.html

8 - Last but not least, do not forget to set the Windows Firewall accordindly, to let the DCOM to work.