DeltaV 13.3.1
I am attempting to connect to OPC.DeltaV.1 on one of our application stations. I am using OPCWatchit and no matter which machine i try from (other application station or proplus) i get the following.
Status: Server init failed: hr=80070005Error Msg: Access is Denied
When I browse the OPC Server Names, the list populates correctly so they are enumerating, i just can't make the connection.
Naturally it appears to be an authentication issue but I haven't found any guidance for things to check.DeltaVAdmin account is a local and domain account.
Ideas?
Andre Dicaire
In reply to Andre Dicaire:
Man, you are spot on!
I was digging in the event logs and found where DCOM was not allowing the remote user to activate the DCOM server.It said to please raise the authentication level to RPC_C_AUTH_LEVEL_PKT_INTEGRITY in the client application.Instead, followed the guidance here and disabled the hardening in the registry.Updates were applied some time back but connections to this particular OPC server are new so we didn't know it was "broken"Just rebooted and the connection came up just fine.
Thanks Andre!!
In reply to Invalid String:
In this case, it would seem that the DeltaV OPC Server machine was at a MS Patch level of after May 2022, and the client machine was at a MS patch level before November 2022.
This solution may break again (or not). The March 2023 MS security updates will disable the registry setting that disables the hardened mode. With the March 2023 update, packet level integrity will be the minimum allowed with no way to override, ie. that registry setting will cease to work.
But it probably doesn't matter. If the client isn't somehow coded in a strange fashion, the November 2022 MS updates were to silently escalate to a minimum of packet level integrity in spite of what the client might initially ask for.
So as per Microsoft KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)
"In response to your feedback, the November 8,2022 update includes a client-side (device, application, or service acting as a DCOM client) patch. This patch automatically raises the authentication level of all non-anonymous activation requests to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. If you use third-party Windows DCOM client applications and are dependent on the software providers to raise the activation authentication level to support DCOM hardening changes, this patch removes the dependency. This allows the activation authentication level to be raised automatically at the Windows OS level. This prevents the activation requests from being rejected by DCOM servers that have enabled DCOM hardening changes."
As I interpret this, If we'd have waited until the November MS patches, no changes at all would have been necessary to most clients, other than the client side machine had to be updated to the November security updates.
In reply to Randy Pratt: