Most difficulties accessing OPC servers are related to security configuration settings. This is a complex issue and we can only give a general overview and list some points to look for. The default security permission settings used to be so that most was permitted but newer operating systems versions tend to set the default more and more restrictive.
The OpcSecurityAnalyser tool can help finding the right security settings and locate causes for access denial. The tool is intended to mainly show the novice system configurator what to look for.
Local Server Access
OPCHDA.NET uses two different mechanism to connect to an OPC server:
- .NET Framework InterOp Services are used when only the server ProgId without a computer name is defined.
No access specifications are possible. The defaults must be set to allow access.
- Win32 functions are used when a computer name or user/password is defined.
The access is made with the defined user/password/domain.
OpcEnum is used to get the required CLSID for the defined Server ProgID. OpcEnum is accessed with the user defined access definition and must be accessible for the connect to be successful.
To prevent the need for OpcEnum the application can specify the server CLSID instead of the ProgID. The format is {xxx..}.
Remote OPC Server
OPCHDA.NET connects to connect to the OPC Server on the specified computer using Win32 functions and IMPERSONATE mode with the defined user/password/domain.
OpcEnum on the target computer is used to get the required CLSID for the defined Server ProgID. OpcEnum is accessed with the user defined access definition and must be accessible for the connect to be successful.
Access to a remote OPC server involves:
Access rights to the computer
The client/server computers need to be in the same domain, or in a Workgroup configuration have the same user/password on both computers.
Right to launch/access the OPC server
The client must specify a user/password that is defined as a launch/access user in the DCOM configuration of the OPC server.
The OpcEnum browser is used to get the required CLSID of the OPC server and needs to be configured to be accessible with the same user/password.
The "Local Security Policy - Security Options - Network Access: Sharing and security model for local accounts" needs to be set to "classic". Otherwise always user Guest is used and the defined user/password is ignored.
OPC server exe file names longer than 8+3 characters may cause the DCOM access right settings to be ignored and the machine default be used instead. This is because the long file name is in the registry AppId definition but otherwise the short filename is used. Microsoft documents the problem and how to solve it. The easiest solution however is to shorten the file name and register the OPC server with the shortened name.
OPC Server Identity
A specific user should to be defined so that the OPC server runs in this user. Otherwise different instances of the OPC server are started for different accessing user.
The specified user needs to have "Logon as batch job" rights. This is assigned by adding the user to the user list in: "Local Security Policy - User Rights Assignment - Logon as batch job".