Authentication

Authentication confirms the identity of a user (as opposed to authorization, which controls what the user is permitted to do). For authentication, the DCOM security model uses the Microsoft Windows extensible security provider. For Microsoft Windows NT-based operating systems operating in a workgroup, DCOM uses NTLMSSP (NT LAN Manager Security Support Provider). When OPC nodes are members of a domain, Active Directory for Windows Server 2003/2008 uses Kerberos authentication protocol as the security provider.

DCOM supports the following levels of authentication and privacy, listed from least to most secure:

• None

  No authentication occurs.

  Note: Never enable unauthenticated communication (authentication level set to None), which permits any user in the network to connect to the OPC server node without any type of authentication and auditing.

• Connect

  Authenticates credentials only when the connection is made.

• Call

  Authenticates credentials at the beginning of every RPC call.

• Packet

  Authenticates credentials and verifies that all data is received.

• Packet Integrity

  (Recommended) Authenticates credentials and verifies that no data has been modified in transit. Verify that this level of authentication does not affect the performance of your scan classes.

• Packet Privacy

  Authenticates credentials and encrypts the packet, including the data and the sender's identity and signature.

Authentication levels configured using the dcomcnfg program override the authentication level set in the system-wide settings. For communication between OPC client and OPC server, the effective authentication level is the highest minimum. For example, if the OPC server is configured for Packet Integrity and the OPC client is set to None, then Packet Integrity is applied.