I'm using OpenOPC library to connect to OPC servers. I can successfully write and read from my local Matrikon OPC server but when I try and read from another machine (different host) then I get the error Pyro.errors.ProtocolError: connection failed
My code for connection is here;
import OpenOPC
class OPC_tag_reader:
opc = OpenOPC.open_client('<remote host>')
#breaks here!!!!
def __init__(self):
print 'connecting to server'
self.opc.connect('Matrikon.OPC.Simulation.1', '<remote host')
The code does not get to the constructor.
Thanks!
OPC uses DCOM for communicating you need to perform the following steps to solve this issue.
Run the DCOM configuration utility by selecting Run from your Windows Start menu and type dcomcnfg.exe click on OK.
2.Expand Component Services, Computers and RightClick on the MyComputer and select Properties
Select the Tab Default Properties and Check the “Enable Distributed COM on this Computer”. The Default Authentication level should be Connect and the Default Impersonation level should be Identify. NOTE: Provide additional security for reference tracking should be unchecked.
Now select the COM Security Tab and under the Access Permissions section click on the Edit Defaults Button, Click on the Add… Button and add the user name (The newly created user name that is exactly same as that of user name on the server). After adding the New user select it and in the box below check the boxes to enable (Allow) Both Local Access and Remote Access.
For initial test purposes include Everyone in the Grant Access list.
On the machine where the server is add OpcEnum.exe to the firewall exception list
On the client machine's fire wall allow port 135 incoming coneciton
Note: For initial testing disable the firewall on both the server and the client .. :)
Note down the user ID and password of the windows user account under which the opc server is running and create the same user name and account on the remote machine (This is to establish trust between the two computers)
Related
I go to File>Settings>Proxy and see just two editboxes for IP and port of proxy. Which protocol will be used? HTTP, SOCKS4, SOCKS5? This isn't written anywhere.
VirtualBox manual says:
The global settings dialog can be reached through the File menu,
selecting the Preferences... item. It offers a selection of settings
which apply to all virtual machines of the current user or in the case
of Extensions to the entire system: (...)
Proxy Enables the user to configure a HTTP Proxy Server.
I am developing an application using kerberos authentication in a double-hop scenario : the client is connecting to a server witch needs to use the client's credentials to connect a SQL server.
I already did it using GSoap and GSS-API from kerberos MIT release; but I would have liked to use winHTTP to handle the authentication.
Yet, when I try to use winHTTP with GSOAP WINHTTP PLUGIN (gsoapwinhttp on code.google), the delegation is blocked by the Domain Controller. I want to keep this Active Directory configuration :
When I look at GSS-API kerberos ticket I found several flags allowing delegation such as fowardable or deleg_req_flag :
So my question is : Can I modify the winHTTP flags to have to allow delegation without changing the Domain Controller's configuration ?
Edit :
I'm using the option WINHTTP_AUTH_SCHEME_NEGOTIATE in setCredentials and WINHTTP_AUTOLOGON_SECURITY_LEVEL_LOW in setOption to be sure to use Kerberos or NTLM as specified in Microsoft website WinHttpSetCredentials.
Using Fiddler I checked the HTTP connection and it is using Kerberos but I still can't delegate to my next server.
I tried to use almost every possible options of setOption such as WINHTTP_ENABLE_SSL_REVERT_IMPERSONATION or everything that could look like delegation but I have a strange error when using this option :
End of file or no input: message transfer interrupted or timed out (629s recv send delay)
I tried to set a different recv_timeout but still the same error.
.
I've studied this type of kerberos-delegation problem a lot. You are experiencing the Kerberos double-hop problem. In that active-directory configuration screenshot you provided, you must configure delegation; right now delegation is not set. First item to try is open delegation,to do that select the radio button: Trust this computer for delegation to any service (Kerberos only). You set this on the computer account in AD which needs to use the client's credentials to connect a SQL server - not on the domain controller account. If your application is actually running on a domain controller, then that is a known issue and unsupported configuration which won't work - please move application to a member server of the domain.
Regarding those flags allowing delegation such as fowardable or deleg_req_flag shown as being set in the Fiddler trace, I'm not sure why they are shown as set, but they might have been set from the wrong account. From the account of the screenshot you posted, Kerberos delegation is not configured at all.
In your scenario, you must set Kerberos delegation on the computer account which is running the WinHTTP process, in the example shown below, that would be "Server1".
In the Kerberos Delegation properties of that account, you can specify either open delegation (top radio button as I stated above), or constrained delegation to the process on Server2 to which Server1 may forward the user credentials (the Kerberos service tickets).
I have been trying to make MySQL Workbench's Remote Server Administration to work with my WMI service installed on a Windows 2008 R2 server.
I would like to know if the following syntax is correct and sufficient in order to check if WMI access has been enabled on the server.
wmic /node:myserver.com /user:wmi_user /password:123456 systemenclosure get serialnumber
I have tried the above command from my home laptop however it gives "The RPC server is unavailable" error.
What I have done so far on the server:
User Account with WMI Rights
Created a separate user account for WMI access(user: wmi_user and it is a member of administrator group).
Enabled WMI traffic on the firewall using the following command:
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes
netsh firewall set service RemoteAdmin enable
CIMOM settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\AllowAnonymousCallback change the value from 0 to 1.
UAC settings
I have adjusted the UAC for wmi_user to never notify.
DCOM settings
I've read on one article which mentions if the user is in the administrator group, there is no need to change this setting.
Please let me know if there's anything else I missed out. Thank you.
I am getting the below mentioned error when my web service tries to open MS word document pragmatically through my .net web service. When I run web service through visual studio, it works fine but when I deploy web service on IIS 7, I get the error
Retrieving the COM class factory for component with CLSID
{000209FF-0000-0000C000-000000000046} failed due to the following error: 80070005
Access is Denied
at the following line.
Microsoft.Office.Interop.Word.Application oWordApp = new Microsoft.Office.Interop. Word.Application();
Microsoft.Office.Interop.Word.Document oWordDoc = new Microsoft.Office.Interop.Word.Document();
I have written this code in server side. It has to open the word document template and find and replace some values and save as with different name
Im using 64-Bit system and Office 2007. Can any 1 help me to fix out the problem.
I was just getting this error and it was solved by adjusting the permissions in the DCOM config on the server:
Click Start -> Run -> dcomcnfg
Expand Component Services -> Computers -> Right click My Computer -> Properties
On the COM Security tab click Edit Defaults under Launch and Activate Permission
Add both Network Service and IIS_IUSRS with local launch and local activation
No reboot should be needed for this. If your app pool is running under a different user, add that user instead.
I'm trying to run a custom WinHTTP based web-server on Windows Server 2008 machine.
I pass "http://*:22222/" to HttpAddUrl
When I start my executable as Administrator or LocalSystem everything works fine. However if I try to run it as NetworkService to minimize security risks (since there are no legitimate reasons for the app to use admin rights) function fails with "Access Denied" error code.
I wasn't aware of NetworkService having any restrictions on which ports and interfaces it can listen on.
Is there a way to configure permissions in such a way so that I actually can run the app under NetworkService account and connect to it from other internet hosts?
You must be an administrator to add URLs to the http.sys URL mappings. Network Service does is not a member of the admin group, but the admnistrator's group and the System account are members.
IIS gets around this by having one process, inetinfo.exe, that runs as SYSTEM and sets up the URL mappings for worker processes (w3wp.exe) that run as Network Service.
Hope that clarifies tings.