Monday, September 3, 2012

DCOM and OPC


Background

OPC Clients (such as Exele's TopView OPC and OPCcalc) and OPC Servers communicate using DCOM. When the two pieces (the client and server) are on the same computer, the DCOM permissions are different than if the two pieces are on separate computers. A typical scenario is that the OPC client product works fine if it is installed on the OPC Server computer, but if the client is installed on a separate computer, the client no longer works properly (cannot browse, cannot connect).
Server computer: the computer running the OPC Server
Client computer: the computer running the OPC Client (Exele's TopView or OPCcalc software)

Users and Groups
The first thing you need to know is the "user" that is running the OPC client application. If you are running the OPC client as the logged on user, the user is the logged on user account. If you are running the client as a Windows service, the user is the LogOn account configured for the Service (the Equation Server for OPCcalc).
The user account for the OPC client will be called "ClientUser"

Authenticated users: Next, you need to know if ClientUser is a valid user on the server computer. One question you can ask is "can I log onto the server computer with the same user (ClientUser) account and password?". If so, the ClientUser can be considered an authenticated user (which is desirable) on the server computer. If not, the ClientUser is not an authenticated user on the server computer. See User Groups below for important information regarding non-authenticated users.
Different domains: if the Client computer and Server computer are located on different domains, you can you can follow the instructions below for "non-authenticated users" or, preferably, create "authenticated users" across the domains:
·   Create a local user account on the OPC Server computer with the same username/password that the OPC Client application is running under on the OPC Client computer
·   Create a local user account on the OPC Client computer with the same username/password that the OPC Server is running under on the OPC Server computer
·   Follow the instructions below for "authenticated users"
User Groups: Each computer (client or server computer) contains User Groups. The ClientUser will be a member of one or more User Groups on each computer, although not necessarily the same groups on both computers. The ClientUser will typically be a member of one of the following groups, depending on the computer (client or server).
The Group or Groups in which ClientUser is a member will be called "ClientUserGroup"
·   The "Everyone" Group: the Everyone group contains the list of all authenticated users. On the client computer, ClientUser will typically be a member of Everyone. On the server computer, ClientUser will be a member of Everyone if ClientUser is an authenticated user on the server computer (see above). If ClientUser is not authenticated on the server computer, ClientUser is not typically a member of the "Everyone" group.
If the ClientUser is authenticated, you can substitue "Everyone" with a more restrictive group that ClientUser is a member of.
 
·   The "ANONYMOUS LOGON" Group: the "ANONYMOUS LOGON" group contains unauthenticated users. ClientUser is usually not a member of this group on the client computer. ClientUser is a member of ANONYMOUS LOGON if they are not authenticated on the server computer.
Note!!! If ClientUser is not an authenticated user on the server computer, you must enable the Guest user account on the server computer!

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.