Hello UA,
I have been working with OPC-DA for a long time and I am familar with remote OPC-DA configuration. In our project we prefer Anonymous access to the DA-Server.
But I am new to UA Gateway and I wondering that if I access the UA Gateway via OPC-DA, I get the error "A security package specific error occured".
This error rise up in serveral environments and it doesn´t matter unter which identity the server runs.
I remember that my team had the same issue in the past when we develop our own DA-Server. The OPC-DA Server miss CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_NONE, RPC_C_IMP_LEVEL_IDENTIFY, NULL, EOAC_NONE, NULL); After place this first in the sourcecode the security package error went away.
What excatly do UA Gateway?
Can I force via configuration CoInitializeSecurity for the UA Server?
Any other hints to get rit of this error (please do not suggest to use UA or to use user authentifaction)?
Thank you
Sascha
Access OPC-DA remote anonymous result security package error
Moderator: uagateway
-
Sushifix
- Jr. Member
- Posts: 1
- Joined: 08 Aug 2017, 14:04
-
Support Team
- Hero Member
- Posts: 3068
- Joined: 18 Mar 2011, 15:09
Re: Access OPC-DA remote anonymous result security package e
Hello Sascha,
the COM DA Server portion of the UaGateway (UnifiedAutomation.UaGateway.1) is not initialized with CoInitializeSecurity for a reason. This would "overwrite" all settings a user could do (in good faith) when configuring the DCOM security correctly. In fact the proposed call would switch off litterally every security and allow access form every/anonymous. That may "make things work", but is the largest security flaw ever. Our intention is different, we want to give the user the option to configure the (poor) DCOM settings as close to secure as possible.
The UaGateway runs as "service", but we give it a dedicated user context, additionally we create a dedicated UserGroup having this one user as the only member, and we give this "UserGroup" the remote launch and access permissions. Now every remote accessing Client (it's user identity) can/must be added to the "UserGroup" to have remote access to the UaGateway. This is the simplest way to make a good (secure) DCOM configuration, you don't need to configure the DCOM, you just need to add (Client-side) users to the "group", simple as that.
You still can "open" the security for UaGateway, but that would be YOUR choice and responsibility, if doing this "hard coded" in the CoInitializeSecurity it would be US creating the flaw, however we are not willing to give up on security.
the COM DA Server portion of the UaGateway (UnifiedAutomation.UaGateway.1) is not initialized with CoInitializeSecurity for a reason. This would "overwrite" all settings a user could do (in good faith) when configuring the DCOM security correctly. In fact the proposed call would switch off litterally every security and allow access form every/anonymous. That may "make things work", but is the largest security flaw ever. Our intention is different, we want to give the user the option to configure the (poor) DCOM settings as close to secure as possible.
The UaGateway runs as "service", but we give it a dedicated user context, additionally we create a dedicated UserGroup having this one user as the only member, and we give this "UserGroup" the remote launch and access permissions. Now every remote accessing Client (it's user identity) can/must be added to the "UserGroup" to have remote access to the UaGateway. This is the simplest way to make a good (secure) DCOM configuration, you don't need to configure the DCOM, you just need to add (Client-side) users to the "group", simple as that.
You still can "open" the security for UaGateway, but that would be YOUR choice and responsibility, if doing this "hard coded" in the CoInitializeSecurity it would be US creating the flaw, however we are not willing to give up on security.
Best regards
Unified Automation Support Team
Unified Automation Support Team