Professional OPC
Development Tools

logos

Online Forums

Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.

Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.

Do not use the Contact page for technical issues.

DCOM raise activation authentication level

More
26 May 2022 16:00 #10911 by support
The following user(s) said Thank You: FAnsariCMC

Please Log in or Create an account to join the conversation.

More
26 May 2022 11:48 #10906 by FAnsariCMC
Thank you for the prompt response! I apologize for the double posting. I Thought the first message didn't post for some reason.

You were right, it does exist and I did not see it because I was trying to find it in the instance. I checked out the second link and it recommends using the ComManagement class instead. So this is what my instantiation code looks like now:

public QuickOPC_DaServerMgtWrapper()
{
ComManagement.Instance.Configuration.SecurityParameters.EnsureDataIntegrity = true;
ComManagement.Instance.AssureSecurityInitialization();
_daServerMgt = new EasyDAClient();
}

Please let me know if this is legal.

Please Log in or Create an account to join the conversation.

More
26 May 2022 11:06 #10905 by support
Please also read:
- kb.opclabs.com/COM_management
- kb.opclabs.com/What%27s_new_in_QuickOPC_2022.1#OPC_Classic

The property SharedParameters *does* exist on EasyDAClient. My guess is that you are looking at instance properties, but this is a static property.

Best regards

Please Log in or Create an account to join the conversation.

More
26 May 2022 10:53 #10904 by FAnsariCMC
Have there been any changes regarding this?

Looks like Microsoft has confirmed that the hadening changes will be enabled by default in June: support.microsoft.com/en-us/topic/kb5004442-manage-changes-f...52-c141-43d2-941e-37ed901c769c

I checked out the link you provided (kb.opclabs.com/COM_settings_in_OPC_Classic_client_components) and it looks like the newer version does have security properties we can change:

Parameters from ComManagement.Instance.Configuration.InstantiationParameters, possibly overridden by values from EasyXXClient.SharedParameters.ClientParameters.ComInstantiationParameters, are used for instantiations of target OPC servers.

However, I cannot seem to find SharedParameters under the EasyDAClient class. I am running v5.63.194 Nuget package.

Please Log in or Create an account to join the conversation.

More
26 May 2022 10:28 #10903 by FAnsariCMC
Hello,

Has this seen any changes? The link you provided does say that the latest version does have mention:

Parameters from ComManagement.Instance.Configuration.InstantiationParameters, possibly overridden by values from EasyXXClient.SharedParameters.ClientParameters.ComInstantiationParameters, are used for instantiations of target OPC servers.

However, I cannot find SharedParameters under the EasyDAClient class.

Thank you.

Please Log in or Create an account to join the conversation.

More
20 Oct 2021 16:34 #10271 by support
Thank you for the interesting link. You might be right - although I am not sure, it would need quite a deep investigation.

Currently, there is no way to tell EasyDAClient to specify RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. The current behavior is summarized here: kb.opclabs.com/COM_settings_in_OPC_Classic_client_components .

We can think of adding some configurable setting to a future version; but with the currently released version (2021.2), it cannot be done.

Best regards
The following user(s) said Thank You: ToSi

Please Log in or Create an account to join the conversation.

More
19 Oct 2021 09:59 #10268 by ToSi
Hello,

Sadly the key was not present, so this is not causing the problem. I have the feeling the need for RPC_C_AUTHN_LEVEL_PKT_INTEGRITY is now standardized in windows. See the following article: winprotocoldoc.blob.core.windows.net/productionwindowsarchiv...5BMS-DCOM%5D-210407-errata.pdf
I quote the important part of the article here:

The default activation authentication level is raised to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY
level on client-side and the required activation authentication level needs to be at least at
RPC_C_AUTHN_LEVEL_PKT_INTEGRITY level for authenticated activation on the server

To come back to QuickOPC and not get lost in DCOM configuration and internal windows stuff, is there a way to configure my EasyDAClient to connect with the discussed authentication level? Or do I just need to set the authentication level to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in the DCOM settings?

I have tested with Matrikon OPC Explorer, Connectivity Explorer and my own Client (based on QuickOPC). I don't know about any modern clients who could solve this issue.

Best Regards
ToSi

Please Log in or Create an account to join the conversation.

More
18 Oct 2021 05:19 #10267 by support
Hello.

Look, I do not know what is causing your issue. I am just investigating the possibilities. The reason I started with this specific suspicion is because the RPC_C_AUTHN_LEVEL_PKT_INTEGRITY requirement as a result of Microsoft update has recently been discussed on OPC forums, and the message from OPCExplorer specifically mentions RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, so there could be some relation. But it can also be something else.

DCOM configuration & security is quite complex - and can differ based on system versions and configurations - that we normally do not support our customers setting it up.

Is there any other remote client that *can* connect to this server?

Best regards

Please Log in or Create an account to join the conversation.

More
16 Oct 2021 15:51 #10266 by ToSi
Hello,

Well, I misunderstood the article then. If the key is present and its value is set to 1, are there any additional steps we can do on the server-side? I don't have direct access to the machine and therefore have to tell the admin about any needed changes.
Thanks for the support until now.

Best Regards,
ToSi

Please Log in or Create an account to join the conversation.

More
16 Oct 2021 15:41 #10265 by support
Thank you.

I am not sure where the key applies, but I think it is more on the server side.

And, I did not suggest to add the key. I was just asking a question.

But in the end, what I intended to assure was the *opposite* to your change. I wanted to make sure that the key is *not* present, or is equal to 0: When the key is present and equal to "1", it means that (on newer systems, with particular Microsoft update) more stringent security is required - and it can bring problems to a large installed based of OPC Classic systems.

Can you please revert the change, and inspect what is the status of the key on the server side?

Best regards

Please Log in or Create an account to join the conversation.

Moderators: support
Time to create page: 0.063 seconds