Troubleshooting OPC Communication DCOM and Firewall issues

When experiencing disruption in communication, first of all, check the Log View in Apis Management Studio for any messages related to your problem, if any messages containing:

Message containsSymptom
Access is denied. (0x80070005)Access denied, usually indicates DCOM security misconfiguration
The RPC server is unavailable. (0x800706BA)RPC errors can indicate Windows firewall security misconfiguration, or networks obstacles in general
The remote procedure call failed. (0x800706BE)

OPC enumerator problem

When configuration of security setting of remote computer is incomplete, the OPC server list will be empty when browsing for OPC servers on remote computer and you might get error message(s) in the Log View in Apis Management Studio.

DCOM security

Message like this in the Log View in Apis Management Studio indicates that the problem likely is DCOM security related more than firewall. Remote server says “Access denied”


Failed to create OPC Server Lister object on 10.100.86.125.

As a result, OPC servers might not be available from the list of servers to choose from. Make sure OPCENUM.EXE is properly registered and configured on the server machine, consider both DCOM security and open the Firewall for OPCENUM.exe.

Or, you can enter the CLSID of your OPC server directly into the server property.

Error return: Access is denied. (0x80070005)

Let’s assume in this case, the local client is running on “System account” meaning that Anonymous logon must have access right to remote computer and the OpcEnum process on the remote computer.

Solution:

Check computer wide limits for Anonymous logon on remote computer as well as access rights on the OpcEnum process.

Computer wide limits

On OPC server computer, start Component Services and browse to My Computer right click and Properties, select COM Security tab in Access Permissions section press Edit Limits, assure that Anonymous logon has Remote Access. If ANONYMOUS LOGIN does not exist in the list, it must be added.

Repeat for Launch and activation permissions.

OPC enumerator access rights

Still in Component Services browse to OpcEnum right click and Properties, select Security tab, press Edit button in Access permissions section, an assure Anonymous login has Remote access. If ANONYMOUS LOGIN does not exist in the list, it must be added.

Repeat for Launch and activation permissions.

If you changed any of the settings, the OpcEnum service must be restarted for the changes to take effect.

Firewall

Message like this in the Log View in Apis Management Studio indicates that the problem likely is firewall or network related. There is no answer from remote server.


Failed to create OPC Server Lister object on 10.100.86.125.

As a result, OPC servers might not be available from the list of servers to choose from. Make sure OPCENUM.EXE is properly registered and configured on the server machine, consider both DCOM security and open the Firewall for OPCENUM.exe.

Or, you can enter the CLSID of your OPC server directly into the server property.

Error return: The RPC server is unavailable. (0x800706BA)

Solution:

The firewall must be opened for the OpcEnum process.

Two alternatives to configure; script or firewall control panel.

Script

From elevated command prompt run the following commands:


netsh advfirewall firewall add rule name="Allow OpcEnum" dir=in program="C:\\Windows\SysWOW64\opcenum.exe" action=allow

netsh advfirewall firewall add rule name="Allow OpcEnum" dir=out program="C:\\Windows\SysWOW64\opcenum.exe" action=allow

Beware of the OpcEnum installation path.

Firewall control panel

On OPC server computer start Control panel-> Windows firewall->Advanced settings->New Rule select Program and press Next enter the program path to the OpcEnum executable like “C:\\Windows\SysWOW64\OpcEnum.exe” press Next

Select Allow the connection Next

Apply to all networks Next

Give the rule a proper name like “Allow OpcEnum” and Finish

The Window firewall will now allow connections to the OpcEnum process.

OPC DA/HDA access problems

When configuration of security setting of remote computer is incomplete, you are not able to connect to the remote OPC server, thus item browsing is unavailable and you might get error message(s) in the Log View in Apis Management Studio.

DCOM security on remote server.


»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Failed to create OPC server, Prediktor.ApisOPCServer.1, on 10.100.86.125.

Error return: Access is denied. (0x80070005).

This message indicates that the problem is DCOM security related. Remote server says “Access denied”

Let’s assume in this case, the local client is running on “System account” meaning that Anonymous logon must have access right to remote computer and the Prediktor.ApisOPCServer.1 process on remote the computer

Solution:

Check computer wide limits for Anonymous logon on remote computer as well as access rights on Prediktor.ApisOPCServer.1

Computer wide limits

See how to set Computer wide limits in previous section

OPC server access rights

Still in Component Services, in this case browse to ApisHive (OPC server) right click and Properties, select Security tab.

In this case the OPC server (ApisHive) is using default properties, we have two chooses:

• Change it to Customized permissions, follow the same procedure as in OPCenum access rights section

• Keep the default. The advantage of use default is if we are using several OPC server instances on same computer the access rights can be set in one place if desirable.

In this example we choose to keep default, now close the ApisHive Properties dialog, browse to My Computer right click and Properties, select COM Security tab in Access Permissions section and now press Edit default, assure that Anonymous logon has Remote Access.

Repeat for Launch and activation permissions, assure Anonymous user has Remote Launch and activation permissions.

If you changed any of the settings, the OPC server (ApisHive) service must be restarted for the changes to take effect.

Windows Firewall


ALARM from OPC

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Failed to create OPC server, Prediktor.ApisOPCServer.1, on 10.100.86.125.

Error return: The RPC server is unavailable. (0x800706BA).

Like in the OPC enum case, this message indicates that the problem likely is firewall related. There is no answer from remote server.

Solution:

The firewall must be opened for ApisHive process. Follow the procedure in Firewall configuration of OPC enum but in this case open for ApisHive ("<install dir>\Bin\ApisHive.exe")

OPC server callback Firewall


ALARM from OPC/opcda://10.100.86.125/Prediktor.ApisOPCServer.1 [Primary]

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Failed calling IOPCDataCallback::Advise - IOPCDataCallback! Error return: The RPC server is unavailable. (0x800706BA).

This message indicates that the problem likely is firewall related. There is no answer from remote server, the server tries to write back to client but hits the firewall.

Solution:

The firewall on the local client computer must be opened for ApisHive process. Follow the procedure in Firewall configuration of OPC enum but in this case open for ApisHive ("<install dir>\Bin\ApisHive.exe").

OPC server callback access rights


ALARM from OPC/opcda://10.100.86.125/Prediktor.ApisOPCServer.1 [Primary]

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Failed calling IOPCDataCallback::Advise - IOPCDataCallback! Error return: Access is denied. (0x80070005).

This message indicates that the problem is DCOM security callback related. Remote server tries to write back to client but gets “Access denied”

In this case server is running on “OPCServerUser” account meaning that when trying to write back to the client it must have access right to local computer and the process running the client as well (Prediktor.ApisOPCServer.1).

On local computer:

Assure OPCServerUser exist with same password as the corresponding user on remote server.

Assure OPCServerUser has computer wide limits remote access rights.

Assure OPCServerUser has remote access rights to client process, in this case ApisHive, trough default access permissions.

If you changed any of the computer wide settings, the OPC server (ApisHive) service must be restarted for the changes to take effect.

How to set DCOM security Computer wide limits for a specific user

Start Component Services system configuration and browse to My Computer, right click, select Properties and select COM Security tab in Access Permissions section: Press Edit Limits button and assure that that the specific user has Local and Remote Access.

Repeat for Launch and activation permissions.