DCOM Security & Logging

Colby.Clegg · January 8, 2007, 6:38pm

The most common problems our users run into with FactorySQL often revolve around DCOM security. This is especially true when trying to access OPC servers hosted on a different machine. I just thought I’d post a few items that can help a lot:

Lots of companies have published OPC specific DCOM config guidelines. One that I just found & that I like a lot is from AscoLab, a big OPC supporter out of germany. They’ve created a CHM that you can download freely at: http://www.ascolab.com/downloads/dcom.chm

Another extremely useful tool in debugging dcom security is the ability to log dcom events in windows. You have to turn this on manually in the registry, but it isn’t too hard:

Open up regedit
Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
Add the following 2 DWORD values:
ActivationFailureLoggingLevel 1
CallFailureLoggingLevel 1

After this, you need to restart the dcom programs that you’re trying to use- generally, this will either be the FactorySQL service, the OPC server, or OpcEnum (which you’ll have to find in the task manager and manually quit).

Now all authentication failures will be logged to the windows event log. Go to Control Panel> Administrative Tools> Event Viewer to view the logs.

Note: This information was taken from Microsoft knowledge base article 892500, located at: http://support.microsoft.com/kb/892500

If you have any questions about any of this, feel free to reply here. Hope it helps!

Regards,

nathan · January 8, 2007, 7:29pm

Sweet! Thanks for the info, Colby.

eric.murphy · March 20, 2007, 1:14am

The DCOM and Tutorials sections of the MatrikonOPC Knowledge base also have some helpful information.

Cheers
Eric

nathan · March 20, 2007, 12:36pm

Eric,
Thanks for the great info. Once you create a free account on Matrikon’s site, you can download the white papers directly.

Colby.Clegg · January 30, 2008, 7:37pm

I just stumbled on this batch file that someone wrote to make it easy to turn logging on and off:

@echo off
setlocal
If {%1}=={} goto :err
if /i "%1" EQU "ON" set data=1&goto doit
if /i "%1" EQU "OFF" set data=0&goto doit
:err
@echo Syntax: DCOMErr ON^|OFF
endlocal
goto :EOF
:doit
set key="HKLM\SOFTWARE\Microsoft\Ole"
call :quiet>nul 2>&1
endlocal
goto :EOF
:quiet
reg add %key% /V ActivationFailureLoggingLevel /T REG_DWORD /F /D %data%
reg add %key% /V CallFailureLoggingLevel /T REG_DWORD /F /D %data%

Save it as a batch file, like DCOMLog.bat, and call it with “on” or “off” as a parameter, like:
c:\dcomlog.bat on

Remember, you’ll have to restart the processes that use DCOM to have it take effect (or restart the computer).

Colby.Clegg · May 13, 2010, 12:21am

Just found out the OPC Training Institute has some great white papers and video tutorials that cover DCOM Config:

OPC Training Institute
White Papers

I believe sign up is required, but I didn’t look too hard. Found one of the papers on automation.com, but thought I’d link to the source