1 of 1 people found this helpful
DCOM errors can be one of the most difficult issues to resolve sometimes because you have so many variables related to security. One thing I always try is set up an identical local admin user on both server/client machines and runas this user and see if this allows a connection and read/writes. Here is a recent link that may be helpful as well: DCOM Security and Configuration
Thank you for your reply.
I think DCOM configuration is not related to this issue.
DCOM configuration is necessary when OPC server and OPC client exists separately,
but in my case, OPC server and OPC client exists on same PC.
OPC Server and client are on the same box but remote to the PI Data Archive and we must assume a Windows Integrated Security not being an authentication option. Please make sure you have a trust in place that allows PI OPC HDA Server to connect with an identity having read access.
I appreciate your support.
Your suggestion means that we should check trust setting again??
We tried 2 pattern trust configuration.
1. Specified IP address and netmask
2. Specified PC name, domain, IP address and netmask
OPC HDA server could not browse items of PI server
although OPC HDA could connect to PI server by SDK in both cases.
We think that setting does not affect Windows authentication according to above result.
We have two additional question.
1. >a Windows Integrated Security not being an authentication option
We use PI user for trust.
Is Windows authentication related to this case even if we use PI user ?
2.>an identity having read access
Where we can configure read access?
Security tab of each PI Point?
Windows Integrated Security is only available if all machines involved into the communication are member of a domain or if in a cross domain environment, a domain trust allows authentication based on a Windows Principal. As soon as one of the machines involved is member of a workgroup, like in your case, the option to authenticate based on Windows Integrated Security is non existent.
Please allow me to suggest you the learning video titled Windows Integrated Security (WIS) and our Security Recommendations. v2010 and PI Data Archive 2016 Security Configuration Guide.
To add on what Siddhartha says, try creating a trust with just one limitation e.g. the OPC Server hosts IP address and grant piadmin user rights but just to see if PI Security is indeed the issue. Piadmin is the superuser for the PI Data Archive with unlimited access to all databases and objects. Using piadmin with trusts or mappings is "bad" practice and we strongly recommend against doing this. Please note that within the Security Settings, trusting piadmin user can be disable.
Check with the PI Message log / PI Network Manager Statistics what credentials are used with the PI OPC HDA connection. PIWorld identity usually provides read access to the point configuration and point data but not to all items within Database Security and I believe that's what is causing your issue. Unless you plan writing to OPC items, read access should be just fine.
How you have configured cross domain security I mean by having same local account and password on both the machines or Trust, this seems to be a security issue so test with a open trust and then configure accordingly.
Without looking at PIPC Log and/or Windows Event log, we cannot fully rule out any possibilities.
More information is needed as the error code, "80040005", in my understanding is very generic.
Read/Write of tags in bulk can be done using PI Builder.