COM settings in OPC Classic client components: Difference between revisions
No edit summary |
No edit summary |
||
Line 1: | Line 1: | ||
[[Category:COM/DCOM]] [[Category:Troubleshooting]] | [[Category:COM/DCOM]] [[Category:Troubleshooting]] | ||
This article describes the internal effects of the various COM security settings. | This article describes the internal effects of the various COM security settings. For easier orientation, the behavior with the default settings is in '''bold'''. | ||
= QuickOPC version 2022.1 and later = | = QuickOPC version 2022.1 and later = | ||
Line 8: | Line 8: | ||
== COM and proxy initialization == | == COM and proxy initialization == | ||
* Without UseCustomSecurity: CoInitializeSecurity is not called. IClientSecurity::SetBlanket (or CoSetProxyBlanket) is not called. | * Without UseCustomSecurity: CoInitializeSecurity is not called. IClientSecurity::SetBlanket (or CoSetProxyBlanket) is not called. | ||
* With UseCustomSecurity (the default): CoInitializeSecurity is called. IClientSecurity::SetBlanket (or CoSetProxyBlanket) is called (only in NativeClient). | * '''With UseCustomSecurity (the default): CoInitializeSecurity is called. IClientSecurity::SetBlanket (or CoSetProxyBlanket) is called (only in NativeClient).''' | ||
== CoInitializeSecurity parameters == | == CoInitializeSecurity parameters == | ||
pSecDesc = NULL. | '''pSecDesc = NULL.''' | ||
* Without AllowImpersonateClient (the default): dwImpLevel = RPC_C_IMP_LEVEL_IDENTIFY (2). | * '''Without AllowImpersonateClient (the default): dwImpLevel = RPC_C_IMP_LEVEL_IDENTIFY (2).''' | ||
* With AllowImpersonateClient: dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3). | * With AllowImpersonateClient: dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3). | ||
* Without TurnOffCallSecurity (the default): dwAuthnLevel = common authentication level (see below). | * '''Without TurnOffCallSecurity (the default): dwAuthnLevel = common authentication level (see below).''' | ||
* With TurnOffCallSecurity: dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE (1).<ref name="TurnOffCallSecurity"/> | * With TurnOffCallSecurity: dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE (1).<ref name="TurnOffCallSecurity"/> | ||
Line 24: | Line 24: | ||
== IClientSecurity::SetBlanket (or CoSetProxyBlanket) parameters == | == IClientSecurity::SetBlanket (or CoSetProxyBlanket) parameters == | ||
dwAuthnLevel and dwImpLevel are the same as those used with CoInitializeSecurity. | '''dwAuthnLevel and dwImpLevel are the same as those used with CoInitializeSecurity.''' | ||
== COAUTHINFO* pAuthInfo in COSERVERINFO* passed to CoCreateInstanceEx (when machine name is not empty) == | == COAUTHINFO* pAuthInfo in COSERVERINFO* passed to CoCreateInstanceEx (when machine name is not empty) == | ||
* Without OverrideDefaultSecurity: NULL. | * Without OverrideDefaultSecurity: NULL. | ||
* With OverrideDefaultSecurity (the default): | * '''With OverrideDefaultSecurity (the default):''' | ||
** Without TurnOffActivationSecurity (the default): dwAuthnSvc = RPC_C_AUTHN_WINNT; dwAuthzSvc = RPC_C_AUTHZ_NONE; pwszServerPrincName = NULL; dwAuthnLevel = common authentication level (see below); dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE; pAuthIdentityData = NULL; dwCapabilities = EOAC_NONE. | ** '''Without TurnOffActivationSecurity (the default): dwAuthnSvc = RPC_C_AUTHN_WINNT; dwAuthzSvc = RPC_C_AUTHZ_NONE; pwszServerPrincName = NULL; dwAuthnLevel = common authentication level (see below); dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE; pAuthIdentityData = NULL; dwCapabilities = EOAC_NONE.''' | ||
** With TurnOffActivationSecurity: dwAuthnSvc = RPC_C_AUTHN_NONE; dwAuthzSvc = RPC_C_AUTHZ_NONE; pwszServerPrincName = NULL; dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE; dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE; pAuthIdentityData = NULL; dwCapabilities = EOAC_NONE.<ref name="TurnOffActivationSecurity"/> | ** With TurnOffActivationSecurity: dwAuthnSvc = RPC_C_AUTHN_NONE; dwAuthzSvc = RPC_C_AUTHZ_NONE; pwszServerPrincName = NULL; dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE; dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE; pAuthIdentityData = NULL; dwCapabilities = EOAC_NONE.<ref name="TurnOffActivationSecurity"/> | ||
== Common authentication level == | == Common authentication level == | ||
* Without EnsureDataIntegrity (the default): RPC_C_AUTHN_LEVEL_CONNECT (2). | * '''Without EnsureDataIntegrity (the default): RPC_C_AUTHN_LEVEL_CONNECT (2).''' | ||
* With EnsureDataIntegrity: RPC_C_AUTHN_LEVEL_PKT_INTEGRITY (5).<ref name="EnsureDataIntegrity">For [https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)].</ref> | * With EnsureDataIntegrity: RPC_C_AUTHN_LEVEL_PKT_INTEGRITY (5).<ref name="EnsureDataIntegrity">For [https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)].</ref> | ||
Line 44: | Line 44: | ||
== COM and proxy initialization == | == COM and proxy initialization == | ||
CoInitializeSecurity is not called. | '''CoInitializeSecurity is not called.''' | ||
* Without UseCustomSecurity: IClientSecurity::SetBlanket (or CoSetProxyBlanket) is not called. | * Without UseCustomSecurity: IClientSecurity::SetBlanket (or CoSetProxyBlanket) is not called. | ||
* With UseCustomSecurity (the default): IClientSecurity::SetBlanket (or CoSetProxyBlanket) is called. | * '''With UseCustomSecurity (the default): IClientSecurity::SetBlanket (or CoSetProxyBlanket) is called.''' | ||
== IClientSecurity::SetBlanket (or CoSetProxyBlanket) parameters == | == IClientSecurity::SetBlanket (or CoSetProxyBlanket) parameters == | ||
* Without TurnOffCallSecurity (the default): dwAuthnLevel = Always RPC_C_AUTHN_LEVEL_CONNECT (2); dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3). | * '''Without TurnOffCallSecurity (the default): dwAuthnLevel = Always RPC_C_AUTHN_LEVEL_CONNECT (2); dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3).''' | ||
* With TurnOffCallSecurity: dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE (1); dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3).<ref name="TurnOffCallSecurity">See [https://docs.microsoft.com/en-us/windows/win32/com/turning-off-call-security Turning Off Call Security]. For this to work, the server must also specify None for its authentication level.</ref> | * With TurnOffCallSecurity: dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE (1); dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3).<ref name="TurnOffCallSecurity">See [https://docs.microsoft.com/en-us/windows/win32/com/turning-off-call-security Turning Off Call Security]. For this to work, the server must also specify None for its authentication level.</ref> | ||
== COAUTHINFO* pAuthInfo in COSERVERINFO* passed to CoCreateInstanceEx (when machine name is not empty) == | == COAUTHINFO* pAuthInfo in COSERVERINFO* passed to CoCreateInstanceEx (when machine name is not empty) == | ||
* Without TurnOffActivationSecurity (the default): NULL. | * '''Without TurnOffActivationSecurity (the default): NULL.''' | ||
* With TurnOffActivationSecurity: dwAuthnSvc = RPC_C_AUTHN_NONE; dwAuthzSvc = RPC_C_AUTHZ_NONE; pwszServerPrincName = NULL; dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE; dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE; pAuthIdentityData = NULL; dwCapabilities = EOAC_NONE.<ref name="TurnOffActivationSecurity">See [https://docs.microsoft.com/en-us/windows/win32/com/turning-off-activation-security Turning Off Activation Security]. For this to work, the server must specify Everyone for Default Launch Permissions.</ref>. | * With TurnOffActivationSecurity: dwAuthnSvc = RPC_C_AUTHN_NONE; dwAuthzSvc = RPC_C_AUTHZ_NONE; pwszServerPrincName = NULL; dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE; dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE; pAuthIdentityData = NULL; dwCapabilities = EOAC_NONE.<ref name="TurnOffActivationSecurity">See [https://docs.microsoft.com/en-us/windows/win32/com/turning-off-activation-security Turning Off Activation Security]. For this to work, the server must specify Everyone for Default Launch Permissions.</ref>. | ||
<br/> | <br/> |
Revision as of 21:24, 27 January 2022
This article describes the internal effects of the various COM security settings. For easier orientation, the behavior with the default settings is in bold.
QuickOPC version 2022.1 and later
Parameters from EasyXXClient.SharedParameters.EngineParameters.ComSecurityParameters are used for COM security initialization. Parameters from EasyXXClient.SharedParameters.MachineParameters.ComInstantiationParameters are used for operations on OPCEnum. Parameters from EasyXXClient.SharedParameters.ClientParameters.ComInstantiationParameters are used for operations on target OPC servers.
COM and proxy initialization
- Without UseCustomSecurity: CoInitializeSecurity is not called. IClientSecurity::SetBlanket (or CoSetProxyBlanket) is not called.
- With UseCustomSecurity (the default): CoInitializeSecurity is called. IClientSecurity::SetBlanket (or CoSetProxyBlanket) is called (only in NativeClient).
CoInitializeSecurity parameters
pSecDesc = NULL.
- Without AllowImpersonateClient (the default): dwImpLevel = RPC_C_IMP_LEVEL_IDENTIFY (2).
- With AllowImpersonateClient: dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3).
- Without TurnOffCallSecurity (the default): dwAuthnLevel = common authentication level (see below).
- With TurnOffCallSecurity: dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE (1).[1]
AccessFromThreadToken is ignored.
IClientSecurity::SetBlanket (or CoSetProxyBlanket) parameters
dwAuthnLevel and dwImpLevel are the same as those used with CoInitializeSecurity.
COAUTHINFO* pAuthInfo in COSERVERINFO* passed to CoCreateInstanceEx (when machine name is not empty)
- Without OverrideDefaultSecurity: NULL.
- With OverrideDefaultSecurity (the default):
- Without TurnOffActivationSecurity (the default): dwAuthnSvc = RPC_C_AUTHN_WINNT; dwAuthzSvc = RPC_C_AUTHZ_NONE; pwszServerPrincName = NULL; dwAuthnLevel = common authentication level (see below); dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE; pAuthIdentityData = NULL; dwCapabilities = EOAC_NONE.
- With TurnOffActivationSecurity: dwAuthnSvc = RPC_C_AUTHN_NONE; dwAuthzSvc = RPC_C_AUTHZ_NONE; pwszServerPrincName = NULL; dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE; dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE; pAuthIdentityData = NULL; dwCapabilities = EOAC_NONE.[2]
Common authentication level
- Without EnsureDataIntegrity (the default): RPC_C_AUTHN_LEVEL_CONNECT (2).
- With EnsureDataIntegrity: RPC_C_AUTHN_LEVEL_PKT_INTEGRITY (5).[3]
QuickOPC versions up to 2021.3
The information only applies to NativeClient implementation. The NetApiClient implementation uses different settings, and they cannot be changed by the parameters described here.
For operations on OPCEnum, parameters from EasyXXClient.SharedParameters.MachineParameters are used. For operations on target OPC servers, parameters from EasyXXClient.SharedParameters.ClientParameters are used.
COM and proxy initialization
CoInitializeSecurity is not called.
- Without UseCustomSecurity: IClientSecurity::SetBlanket (or CoSetProxyBlanket) is not called.
- With UseCustomSecurity (the default): IClientSecurity::SetBlanket (or CoSetProxyBlanket) is called.
IClientSecurity::SetBlanket (or CoSetProxyBlanket) parameters
- Without TurnOffCallSecurity (the default): dwAuthnLevel = Always RPC_C_AUTHN_LEVEL_CONNECT (2); dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3).
- With TurnOffCallSecurity: dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE (1); dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3).[1]
COAUTHINFO* pAuthInfo in COSERVERINFO* passed to CoCreateInstanceEx (when machine name is not empty)
- Without TurnOffActivationSecurity (the default): NULL.
- With TurnOffActivationSecurity: dwAuthnSvc = RPC_C_AUTHN_NONE; dwAuthzSvc = RPC_C_AUTHZ_NONE; pwszServerPrincName = NULL; dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE; dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE; pAuthIdentityData = NULL; dwCapabilities = EOAC_NONE.[2].
- ↑ 1.0 1.1 See Turning Off Call Security. For this to work, the server must also specify None for its authentication level.
- ↑ 2.0 2.1 See Turning Off Activation Security. For this to work, the server must specify Everyone for Default Launch Permissions.
- ↑ For KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414).