Remote OPC (a.k.a. DCOM hell)

monkeyhead

Member
Join Date
Sep 2004
Location
I'm right here
Posts
656
I'm setting up a SCADA, and I've got all my local OPC comms working just fine, but there are a couple stand alone systems that I only have access to through their PC based HMIs (xp sp2). So i'm forced to use remote OPC for these systems.

IT rules that PCs that are not part of our windows domain must live on their own VLAN that accepts incoming traffic, but doesn't allow outoing connections.

So far on the HMI PCs, I basically made DCOM and my OPC servers about as unsecure as possible by allowing full access to everyone and their brother. On the HMI PCs, I had all of them join the same windows workgroup and used the same user/password combo on each machine.

I can initiate a remote server and read data using RSI's test opc client between any of the HMIs.

The problem is that my SCADA is going to live on the regular VLAN (as is the laptop i'm using to develop on.)

I can initiate and launch the remote server using the RSI test client from my laptop, but when I try to create a group, I get an RPC error.

I downloaded the dccomtest test server and client from MSDN and tried it, but I also get an RPC error. I ran a port scanner and I clearly see port 135 opened up.

In desperation I even installed IIS and tried enabling COM for Internet Services and set TCP/IP tunneling as the default protocol, but I still get the same error.

Is there any type of tool I can use to troubleshoot DCOM problems?

Could the whole thing be failing because my laptop is part of my company's windows domain and I don't have an account set up on my HMI PCs using my username?

I've already killed two days that I didn't have to spare on this. Unix is so much easier than windows... o_O
 
A couple years ago I set up a shared KEPServer (multiple client PCs connecting to a single server which reads from/writes to multiple PLCs) and went through a similar trouble. Can't remember all the details now, but a few things come to mind:

  • Whatever DCOM permissions are set for KEPServer process, the same permissions must be set for OPCENUM process.
  • I have ended up giving all the permissions to "Everyone" - not the safest thing, I know, but it was working and I did not want to spend any more time honing it.
  • Even with all the permissions for everyone, I could not make the shared KEPServer to start if it was not running. I ended up having it configured to run as a NT process - then it worked.
  • In my case, the server, the client PCs and all the PLCs the server reads/writes are on the same VLAN so I had no issues on that end. Some client PCs log in to the company domain with domain user credentials so they are recognized by the server. Other PCs log in with a local, non-domain credentials - those users are recognized by the server as long as the server has its own local user account with the same username and the same password (this feature is called 'traversing', if I am not mistaken)
Good luck...
 
Thanks for the tips. I had to pull of the project to focus on some other stuff for a few days, but I'll definitely be trying out the security analyzer, and the traversing tip.
 
Opc dcom

sounds familiar. I tried to use the OPC-connection to remote PLC.
It did not work at all... We had router and there was NAT. OPC does not work with NAT (Network Address Translation) I wanted to use the separate "PORTS".

I am waiting OPC-UA for my configuration, it is expected to solve the problem
 
My questinn for Technical Support (Kepware);
"I'm just asking, when we can see opc-ua?"

Answer;
"It will be the end of 2009 for Kepware; but there are solutions on
the market...
Iconics have a UA Client and Server solution w/ Genesis."
 
adrielmichaud - Thanks for pointing out the tunneling option. I had looked at the tunneling solutions, but I have blown my software budget on this project, and simply can't buy anymore.

DCOM is such a nightmare... I finally resolved my problem (sort of). I'd never heard of OPC-UA but now I'm excited for it. DCOM is slick when it works right, but not worth the pain.

The remote OPC servers are an old Opto22 product called Optoserver. I spent another full day on it. Using Kepware's quick client I could connect, create a group, and add the item, but it wouldn't update with Asynchronous reads. Synchronous reads and writes however worked fine. I kept getting failures with Hresult = 80040200. I couldn't find any information on this error. RSI's test client would fail when I tried to add a group with an 'RPC unavailable' message.

Finally I found a knowledgebase article from Opto22 about some group security settings on RPC that are necessary for OptoCDS on XP SP2. OptoCDS is a component that performs a similar function to OPC but only works between Opto22's own software.

Since I'm already running a local version of Optoserver on my SCADA to talk to my network based Opto22 controllers, I added another node that uses OptoCDS to get at my remote HMI's and serial controllers. This worked.

So instead of:

SCADA<--------->REMOTE OPC SERVER<->CONTROLLER

I have:

SCADA<->LOCAL OPC SERVER<------>REMOTE OPTOCDS<->CONTROLLER

I still don't know if the problem is with DCOM or with the OPC server. I'm half tempted to install the Demo of kepware on one of the HMI's just to see if I can access it.

The only thing I don't like is that I can't make OptoCDS start up remotely as a process in the background when the OPC client requests data. This was how Optoserver was starting.

I have it starting minimized on the taskbar on the HMI computer, but I know it's only a matter of time till an operator or tech closes it and I get a call that my SCADA isn't reporting data on these controllers.
 
1. If sync reads are working and async are not, you've most likely got a callback authentication problem. (Client PC does not recognize Server PC's user)

2. We've got a guide to opening up DCOM (may be similar to Opto's) http://www.matrikonopc.com/downloads/172/whitepapers/index.aspx

3. Most OPC Servers can run as a service. This is done by running the OPC Server exe from the command line with the "-service" flag. Running the OPC Server as a service that automatically starts when windows starts would hide it from any curious operators. Check with your vendor for specifics.

4. Tool to troubleshoot DCOM problems. We've got an OPC DCOM Analyzer here, but it's used more to snapshot the system and troubleshoot at a glance.

5. "Could the whole thing be failing because my laptop is part of my company's windows domain and I don't have an account set up on my HMI PCs using my username?" Best practices in this situation is to create the same local user on both PC's and run any OPC software as that user. This usually takes care of authentication worries.

6. Port 135 is only part of the DCOM equation. It also dynamically allocates ports above 1024. This makes firewall configuration a lot more difficult.

There's a lot more OPC/DCOM info at www.opcsupport.com
 
Last edited:
1. If sync reads are working and async are not, you've most likely got a callback authentication problem. (Client PC does not recognize Server PC's user)

A-ha! I have had the same kind of problem (sync reads work, async ones don't) and could not figure it out as well. I ended up dropping all the async reads in my code - I am not reading a lot of data, so the delays were not critical. So that is what it was.

In other words, if you want to have async comms between your PC and a remote OPC server, not only DCOM on the server has to be configured for that but DCOM on the client PC as well...
 
Actually all you need to do is make sure that the username and password of the client is in both pc's users and they have the same user permissions. Go to www.opcti.com and get there free opc expert software it will help you troubleshoot it a lot, also there are a lot of tips and tricks there
 

Similar Topics

Folks, I have a client with an old ABB Advant / MOD300 system (v14.4). Around y2k I installed the ABB Industrial IT MOD300 OPC Server 1.1/2...
Replies
0
Views
68
TLDR: I try to establish the OPC communication between Kepware OPC DA Client to ABB 800xA OPC DA Server. In the Kepware OPC quick client of poll...
Replies
0
Views
819
hey guys. i am having an issue and maybe somebody here can help me out with it. i have a panelview plus that i am trying to get to read kepserver...
Replies
5
Views
3,443
Dear all, It's my first time configuring the cimplicity taking values from a remote Kepware OPC server on a Windows Server 2012 station. I have...
Replies
1
Views
4,763
I am writing a custom OPC Client application in C#, enabling reading of data from a RSLinx Server. First of, I wasn't able to connect to the...
Replies
6
Views
6,097
Back
Top Bottom