Product(s): | APM Implementation and Performance Management | ||
Version(s): | 7 | ||
Environment: | N/A | ||
Area: | N/A | ||
Subarea: | N/A |
An APM user had reported that the ODC DA service has stopped returning data. They were migrating their OPC compliant data source to a new location and found that they could no longer establish a connection with the APM ODC service. User had continued using the same DNS and existing installed APM ODC service. Upon investigation, we found that the likely reason is that Window's have recently made it mandatory to harden DCOM authentication. (https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c
The following instructions are used to enable APM ODC connections with OPC compliant data sources in an environment where the DCOM authentication level to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY per Microsoft’s DCOM server security requirements update:
These settings need to be match between the data source server(s) and all APM service servers that communicate with them such as the APM ODC service(s) and APM Smart-client (application) services. This will be required for all APM users using the OPC DA, OPC HDA plugins.
From Windows run dcomcnfg.exe
Select Mycomputer, right click select properties
Examine the ‘Default Properties’ page:
Make sure “Enable Distributed COM on this computer” is enabled
Default Authentication Level is “Connect”
Default Impersonation Level is “Identity”
Examine the ‘COM Security’ page
Edit Limits for ‘Access’ and for ‘Launch and Activation’
Ensure that appropriate users or groups have remote access, launch, and activation control.
Note - the account that runs IvaraServer services as well as the interactive users that browse OPC tags need to have permissions. For this you need to know how the APM ODC service and the APM Smart-Client Services are installed: Local Service, Local System, Network (Network username) or Network Service and user the appropriate credentials if using a Network user.
2. Registry settings to control DCOM hardening and launch authentication
On both the OPC server and the APM Server (and Thick Client OPC browsing machines), ensure the following values are set:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]
"RequireIntegrityActivationAuthenticationLevel"=dword:00000001
"RaiseActivationAuthenticationLevel"=dword:00000002
(or see screenshot below for reference)
All servers must be rebooted after these changes.
If there are any issues connecting to OPC from APM, check the Event Viewer (Windows Logs - System) on OPC server and APM server.
SR 7001492237