Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

DCOM Security and Configuration

TABLE OF CONTENTS

Setting encryption level and NTLM negotiation

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedNov 15, 2022
  • 2 minute read

The local accounts used for OPC server or interface may not be authenticated correctly when connecting to Windows Server 2008, Windows 7, and later. Windows Server 2008 and Windows 7 include changes designed to enhance the security of the NTLM authentication protocol, which is used by servers and clients when running in workgroup mode. By default, these versions of Windows are configured so that they will only communicate with other computers that use the enhanced NTLM security. This will prevent authentication from the OPC client to the OPC server when using local accounts. In order to ensure interoperability, OPC server and client nodes should be configured so that the NTLM-specific settings on the two computers match. Older Windows versions (at least back to Windows XP) with up-to-date service packs will support the new settings. Windows 2003 Service Pack 1 supports this setting.

To determine if this might be the issue, perform a simple file-sharing request from the interface/client machine to the server and vice-versa:

  1. Choose Start > Run.

  2. In the textbox, type \\computername and hit enter key.

    • You can use a RUNAS like this to run Windows Explorer if you cannot login to the machine with the credentials:

      runas /user:domain\user "explorer/separate"

    If successful, a window will display. If you have no access to shares/files on the computer, the window will be empty; otherwise it will contain accessible shares/folders/files. If it fails, run the Local Security Control Panel and check the following policies on both the OPC server and interface nodes:

    • "Network security: LAN Manager authentication level". The NTLM authentication level should be set to: "Send NTLMv2 response only"

    Caution: If there are legacy systems on the network using Windows XP, Windows Server 2003 or earlier, thenSend NTLM2 responses may break authentication for the older computers. The setting Send LM & NTLM - use NTLMv2 session security if negotiated should be used instead to remain compatible with legacy systems.

    • "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients. Set to "Require 128-bit encryption"

    • "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers. Set to "Require 128-bit encryption"

    • Accessing Server 2012 systems remotely, \\"ServerName"\C$ will not work with local admin credentials. To resolve this one:

    • Regedit HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System and change the LocalAccountTokenFilterPolicy to value of 1. If the key does not exist you'll have to create it as type DWORD (32-bit).

    The settings for the policies given above represent options that should allow interoperability in most cases. However, sometimes it will not be possible to change the configuration of one machine or the other; it will be necessary to change the settings on the computer where the policies can be changed to match those of the computer where they cannot be changed.

    Note: A system reboot is required for changes to the settings to take effect. If the reboot does not work, try the following command or contact tech support: >gupdate/force/wait:0/wait:value

TitleResults for “How to create a CRG?”Also Available in