COM settings in OPC Classic client components: Difference between revisions

From OPC Labs Knowledge Base
No edit summary
No edit summary
Line 2: Line 2:
This article describes the internal effects of the UseCustomSecurity, TurnOffCallSecurity, TurnOffActivationSecurity and EnsureDataIntegrity settings.  
This article describes the internal effects of the UseCustomSecurity, TurnOffCallSecurity, TurnOffActivationSecurity and EnsureDataIntegrity settings.  


Note: For QuickOPC versions up to 2021.3, the information in this article only applies to NativeClient implementation. In QuickOPC versions up to 2021.3, the NetApiClient implementation uses settings, and they cannot be changed by the parameters described here. In QuickOPC versions 2022.1 and later, the behavior of NativeClient and NetApiClient implementation is mostly aligned; we provide a note here where they differ.
= QuickOPC version 2022.1 and later =


'''COM and proxy initialization:'''
'''COM and proxy initialization:'''
Line 9: Line 9:


'''CoInitializeSecurity parameters:'''
'''CoInitializeSecurity parameters:'''
* Without TurnOffCallSecurity (the default): dwAuthnLevel = Common authentication level (see below); dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3); pSecDesc = CSecurityDescriptor::InitializeFromThreadToken()>
* Without TurnOffCallSecurity (the default): dwAuthnLevel = Common authentication level (see below); dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3); pSecDesc = CSecurityDescriptor::InitializeFromThreadToken()>
* With TurnOffCallSecurity: dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE (1); dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3); pSecDesc = NULL
* With TurnOffCallSecurity: dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE (1); dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3); pSecDesc = NULL


Line 19: Line 19:
(see https://docs.microsoft.com/en-us/windows/win32/com/turning-off-activation-security?redirectedfrom=MSDN)
(see https://docs.microsoft.com/en-us/windows/win32/com/turning-off-activation-security?redirectedfrom=MSDN)


'''Common authentication level:''' In QuickOPC versions up to 2021.3: Always RPC_C_AUTHN_LEVEL_CONNECT (2). In QuickOPC versions 2022.1 and later:
'''Common authentication level:'''  
* Without EnsureDataIntegrity (the default): RPC_C_AUTHN_LEVEL_CONNECT (2).
* Without EnsureDataIntegrity (the default): RPC_C_AUTHN_LEVEL_CONNECT (2).
* With EnsureDataIntegrity: RPC_C_AUTHN_LEVEL_PKT_INTEGRITY (5). For [https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)].
* With EnsureDataIntegrity: RPC_C_AUTHN_LEVEL_PKT_INTEGRITY (5). For [https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)].
= QuickOPC versions up to 2021.3 =
The information only applies to NativeClient implementation. The NetApiClient implementation uses different settings, and they cannot be changed by the parameters described here.
'''COM and proxy initialization:'''
CoInitializeSecurity is not called
* Without UseCustomSecurity: CoSetProxyBlanket is not called.
* With UseCustomSecurity (the default): CoSetProxyBlanket is called.
'''CoInitializeSecurity parameters:'''
* Without TurnOffCallSecurity (the default): dwAuthnLevel = Common authentication level (see below); dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3); pSecDesc =  CSecurityDescriptor::InitializeFromThreadToken()>
* With TurnOffCallSecurity: dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE (1); dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3); pSecDesc = NULL
'''CoSetProxyBlanket parameters''': dwAuthnLevel and dwImpLevel are the same as those used with CoInitializeSecurity.
'''COAUTHINFO* pAuthInfo in COSERVERINFO* passed to CoCreateInstanceEx (when machine name is not empty)''':
* Without TurnOffActivationSecurity (the default): dwAuthnSvc = RPC_C_AUTHN_NONE; dwAuthzSvc = RPC_C_AUTHZ_NONE; pwszServerPrincName = NULL; dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE; dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE; pAuthIdentityData = NULL; dwCapabilities = EOAC_NONE;
* With TurnOffActivationSecurity: NULL
(see https://docs.microsoft.com/en-us/windows/win32/com/turning-off-activation-security?redirectedfrom=MSDN)
'''Common authentication level:''' Always RPC_C_AUTHN_LEVEL_CONNECT (2).

Revision as of 18:49, 26 January 2022

This article describes the internal effects of the UseCustomSecurity, TurnOffCallSecurity, TurnOffActivationSecurity and EnsureDataIntegrity settings.

QuickOPC version 2022.1 and later

COM and proxy initialization:

  • Without UseCustomSecurity: CoInitializeSecurity is not called, CoSetProxyBlanket is not called
  • With UseCustomSecurity (the default): CoInitializeSecurity is called, CoSetProxyBlanket is called

CoInitializeSecurity parameters:

  • Without TurnOffCallSecurity (the default): dwAuthnLevel = Common authentication level (see below); dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3); pSecDesc = CSecurityDescriptor::InitializeFromThreadToken()>
  • With TurnOffCallSecurity: dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE (1); dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3); pSecDesc = NULL

CoSetProxyBlanket parameters: dwAuthnLevel and dwImpLevel are the same as those used with CoInitializeSecurity.

COAUTHINFO* pAuthInfo in COSERVERINFO* passed to CoCreateInstanceEx (when machine name is not empty):

  • Without TurnOffActivationSecurity (the default): dwAuthnSvc = RPC_C_AUTHN_NONE; dwAuthzSvc = RPC_C_AUTHZ_NONE; pwszServerPrincName = NULL; dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE; dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE; pAuthIdentityData = NULL; dwCapabilities = EOAC_NONE;
  • With TurnOffActivationSecurity: NULL

(see https://docs.microsoft.com/en-us/windows/win32/com/turning-off-activation-security?redirectedfrom=MSDN)

Common authentication level:

QuickOPC versions up to 2021.3

The information only applies to NativeClient implementation. The NetApiClient implementation uses different settings, and they cannot be changed by the parameters described here.

COM and proxy initialization: CoInitializeSecurity is not called

  • Without UseCustomSecurity: CoSetProxyBlanket is not called.
  • With UseCustomSecurity (the default): CoSetProxyBlanket is called.

CoInitializeSecurity parameters:

  • Without TurnOffCallSecurity (the default): dwAuthnLevel = Common authentication level (see below); dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3); pSecDesc = CSecurityDescriptor::InitializeFromThreadToken()>
  • With TurnOffCallSecurity: dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE (1); dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3); pSecDesc = NULL

CoSetProxyBlanket parameters: dwAuthnLevel and dwImpLevel are the same as those used with CoInitializeSecurity.

COAUTHINFO* pAuthInfo in COSERVERINFO* passed to CoCreateInstanceEx (when machine name is not empty):

  • Without TurnOffActivationSecurity (the default): dwAuthnSvc = RPC_C_AUTHN_NONE; dwAuthzSvc = RPC_C_AUTHZ_NONE; pwszServerPrincName = NULL; dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE; dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE; pAuthIdentityData = NULL; dwCapabilities = EOAC_NONE;
  • With TurnOffActivationSecurity: NULL

(see https://docs.microsoft.com/en-us/windows/win32/com/turning-off-activation-security?redirectedfrom=MSDN)

Common authentication level: Always RPC_C_AUTHN_LEVEL_CONNECT (2).