OPC DA failed to connect after Windows DCOM Server Security Feature Enable|Classic OPC: DA, A&E, HDA, XML-DA, etc.|Forum|OPC Foundation

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
OPC DA failed to connect after Windows DCOM Server Security Feature Enable
Avatar
Marimuthu Ananthan
Member
Members
Forum Posts: 5
Member Since:
02/13/2018
sp_UserOfflineSmall Offline
1
07/27/2021 - 20:13
sp_Permalink sp_Print

Dear All,

Microsoft has identified some vulnerabilities at DCOM

ref: https://msrc.microsoft.com/upd…..2021-26414.

https://support.microsoft.com/…..ed901c769c

If we enable this DCOM Hardening it’s working fine with the local OPC server.

But not working with Remote OPC Server. If we try to connect remote OPC Server with local OPC Client its throw “E_NETWORK_ERROR”(nca_s_fault_access_denied). 

Any solution or workaround for this MS Patch?

Avatar
Randy Armstrong
Admin
Forum Posts: 1578
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
2
07/27/2021 - 23:48
sp_Permalink sp_Print sp_EditHistory

Thank you for bringing this to our attention.

I have raised the issue with our contacts at Microsoft to get more information.

Based on my reading of the available information I suspect that many OPC applications will have to change the parameters they pass to CoCreateInstance or CoInitializeSecurity.

Are you in a position to modify the client and server code to experiment with different parameters?

Correct links are:

https://msrc.microsoft.com/upd…..2021-26414

https://support.microsoft.com/…..ed901c769c

Avatar
Marimuthu Ananthan
Member
Members
Forum Posts: 5
Member Since:
02/13/2018
sp_UserOfflineSmall Offline
3
07/28/2021 - 00:13
sp_Permalink sp_Print

Hi,

Thanks for the immediate response.

Currently, we are not in the position to modify either client or server.

If you received any more updates from Microsoft please update here.

Is it impact all OPC Servers and clients?

Avatar
Randy Armstrong
Admin
Forum Posts: 1578
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
4
07/28/2021 - 13:49
sp_Permalink sp_Print sp_EditHistory

At this point your options are:

1) Use an OS other than Windows 10 or Windows Embedded 8.1;

2) Update your applications to call RpcBindingSetAuthInfo() and set the RPC_C_AUTHN_LEVEL_PKT_INTEGRITY flag (needs confirmation).

3) Use local DCOM + OPC UA Gateway to provide remote access;

4) Use local DCOM + OPC DCOM tunneler to provide remote access.

Avatar
Marimuthu Ananthan
Member
Members
Forum Posts: 5
Member Since:
02/13/2018
sp_UserOfflineSmall Offline
5
07/29/2021 - 01:50
sp_Permalink sp_Print

Hi,

1. We tested with all Microsoft Windows OS (10, 2016, 2019…) it’s not working

2. Please update confirmation set the RPC_C_AUTHN_LEVEL_PKT_INTEGRITY flag will resolve our issue

3. Can you please share DCOM + OPC UA Gateway links if any and

4. Can you please share DCOM + OPC DCOM tunneler  links if any

Thanks

Avatar
Randy Armstrong
Admin
Forum Posts: 1578
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
6
07/29/2021 - 05:59
sp_Permalink sp_Print sp_EditHistory

1) Did you check Windows 7?

Note that using an end of life Windows OS is generally a bad idea but a lot of existing factory systems do have old systems and should be unaffected by the change but will still be affected by the security vulnerability that led MS to make the change in the first place.

2) Someone who has this problem and has access to their COM client/server code needs to verify that this fix works.

3) Example of a COM to UA gateway:

https://www.unified-automation…..teway.html

Any product that works as a ‘protocol converter’ such as KepServerEx could also be used.

4) Example of a DCOM tunneller:

https://www.matrikonopc.com/op…..eller.aspx

Avatar
Zbynek Zahradnik
Member
Members
Forum Posts: 62
Member Since:
02/24/2014
sp_UserOfflineSmall Offline
7
07/30/2021 - 00:39
sp_Permalink sp_Print sp_EditHistory

Regarding RpcBindingSetAuthInfo(), do we know if it needs to be set on the client, on the server, or both? Only on the computer that has the Microsoft patch installed, or, if the patch is installed at either side, then the RpcBindingSetAuthInfo() call needs to be made at both sides? If it indeed fixes the problem with the Microsoft patch, do we know if using it is harmless on systems that do not have the patch, etc.? – the questions are many.

Is there any guidance on how the call should be made? I have quickly looked at the documentation (https://docs.microsoft.com/en-…..etauthinfo ), and, because it is at the RPC level and not the DCOM level, it is unclear to me how to use it – where to get the RPC_BINDING_HANDLE and other information.

Regards 

Avatar
Marimuthu Ananthan
Member
Members
Forum Posts: 5
Member Since:
02/13/2018
sp_UserOfflineSmall Offline
8
08/03/2021 - 02:30
sp_Permalink sp_Print

Dear All,

We identified one quick workaround is

Dcomcnfg.exe -> My Computer -> Properties -> Default Properties ->

Set “Default Authentication Level” is “Packet Integrity” from “connect”

Please update if you have any other suggestions.

Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 37
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1444
Posts: 4887