E143 – OPC Data Access

Third Party OPC DA Connection via DCOM

 The Configuration User’s Guide (3BDS011222) is correct, but…

 May be very complex to fully understand
 Does not put system hardening in focus

 It is easy to make mistakes!

 Mix up local vs domain vs 800xA user accounts
 Two separate accounts are often required
1. Connect account (to enable DCOM calls between two computers)
2. 800xA User Account (to enable entry to 800xA)
 Firewall settings
 Bi-directional DCOM settings is required to enable asynch. calls
1. Server computer must allow client to login and launch OPC server
2. Client computer must allow OPC server to call back to OPC client

© ABB Group
January 18, 2018 | Slide 1
E143 – OPC Data Access
Third Party OPC DA Connection via DCOM

 Required settings in both server and client computer

© ABB Group
January 18, 2018 | Slide 2
E143 – OPC Data Access
Third Party OPC DA Connection via DCOM

 Browsing for remote OPC servers require OPCEnum.exe in server

 OPCEnum.exe require DCOM Remote Access + Launch + Activation
 Defining a dedicated connect account is more secure than Everyone

© ABB Group
January 18, 2018 | Slide 3
E143 – OPC Data Access
Third Party OPC DA Connection via DCOM

 The connect account must be granted access with DCOMCNFG.EXE

© ABB Group
January 18, 2018 | Slide 4
E143 – OPC Data Access
Third Party OPC DA Connection via DCOM

 Default DCOM settings on AfwDsOpcSurrogate.1 does no longer

work from 5.0 SP2 RevE and 5.1 RevB due to system hardening

 A dedicated (preferably non-admin) 800xA user is required as

launching identity for the AfwDsOpcSurrogate.1 server

© ABB Group
January 18, 2018 | Slide 5
E143 – OPC Data Access
Third Party OPC DA client connection via DCOM
Client Server
Domain A Domain B
Domain account: Domain account:
OPC Connect Account AD\opcconnect 800xA OPC Transfer Account BD\opctransfer
Member of Domain Users Member of Domain Users and IndustrialITUser

Computer A1 800xA System X

Local account: System 800xA account:
OPC Transfer Account A1L\opctransfer 800xA OPC Transfer Account BD\opctransfer
Member of 800xA Everyone (to read) and possibly more (to write)

OPC DA Client Computer BX1

(Launched from the AD\opcconnect account)
DCOM permission for Access: Local account:
Remote Access allow A1L\opctransfer OPC Connect Account BX1L\opcconnect

AfwDsOPCSurrogate
DCOM permission for Access
Remote Access allow BX1L\opcconnect
DCOM permission for Launch+Activation
Remote Launch allow BX1L\opcconnect
Remote Activation allow BX1L\opcconnect
DCOM Identity
This user BD\opctransfer

The account’s passwords must match:

A1L\opctransfer = BD\opctransfer
AD\opcconnect = BX1L\opcconnect

© ABB Group
January 18, 2018 | Slide 6
E143 – OPC Data Access
Third Party OPC DA Connection via DCOM
Client Server
Domain A Domain B
Domain account: Domain account:
OPC Connect Account AD\opcconnect 800xA OPC Transfer Account BD\opctransfer
Member of Domain Users Member of Domain Users and IndustrialITUser

800xA System X
Computer A1AddGroup, AddItem, ReadSynchronous,
Local account:
WriteSynchronous
System 800xA account:
OPC Transfer Account A1L\opctransfer 800xA OPC Transfer Account BD\opctransfer
Member of 800xA Everyone (to read) and possibly more (to write)

OPC DA Client Computer BX1

(Launched from the AD\opcconnect account)
DCOM permission for Access: Local account:
Remote Access allow A1L\opctransfer OPC Connect Account BX1L\opcconnect
Advise, ReadAsynchronous, WriteAsynchronous
AfwDsOPCSurrogate
DCOM permission for Access
Remote Access allow BX1L\opcconnect
DCOM permission for Launch+Activation
Remote Launch allow BX1L\opcconnect
Remote Activation allow BX1L\opcconnect
OnDataChange, OnReadComplete, OnWriteComplete
DCOM Identity
This user BD\opctransfer

Synchronous call

Asynchronous call
© ABB Group
January 18, 2018 | Slide 7
E143 – Asynchronous OPC Data Access
Client and server on different domain or workgroup
OPC Client OPC Server
(some 3rd party) (AfwDsOPCSurrogate.exe)
Account A The account used to Account C The account used to
launch the OPC client run the OPC server

Account B The account matching the Account D The account matching the
user used by the OPC server user used by the OPC client
Account X will match even if workgroup Account D must have the following DCOM
1. Client (running as A) attempts to and domain name are different:
WORKGROUP Y\USER X = DOMAIN Z\USER X •
permission on AfwDsOPCSurrogate.exe:
Remote Access

perform remote launch of the server •

•
Remote Launch
Remote Activation

via DCOM
2. If A’s name + password matches D,
DCOM will launch the
AfwDsOPCSurrogate.exe
(The AfwDsOPCSurrogate must have DCOM Identity set
to This user = C. Account C must also be a known
3. Client (A) adds groups and items System 800xA user and have appropriate object access)

4. Server (running as C) is sending data

5. If C matches B, DCOM allow delivery to the client
of data to client.
Account B must have the following DCOM
permission on 3rd party server’s xxx.exe:
© ABB Group • Remote Access
January 18, 2018 | Slide 8