Configuring DCOM for Remote Access

Before you can access your WMI host or OPC Server running under Microsoft Windows, you must ensure that Distributed COM (DCOM) is properly configured on this machine. Follow the below checklist to ensure the proper configuration.

1. Enabling Necessary Services

Please make sure that the Server Service and Remote Registry Service are running on the machine where the COM server resides.

2. Configuring Access Permissions

To avoid getting Access Denied exceptions, it is best to connect to the COM server under the identity of currently logged in user. In case granting "administrators" permission is a concern, you can create a local user under "Users" group.

2a. Configuring DCOM Access

Go to Control Panel > Administrative Tools > Local Security Policy > Security Settings > Local Policies > Security Options:

  • Double-click DCOM: Machine Access Restrictions policy, click Edit Security, add the user created above (or currently logged in user), allow "Remote Access"
  • Double-click DCOM: Machine Launch Restrictions policy, click Edit Security, add the user created above (or currently logged in user), allow "Local Launch", "Remote Launch", "Local Activation", "Remote Activation"
  • Double-click Network access: Sharing and security model for local accounts policy, select Classic - users authenticate as themselves

2B. Configuring Com Security

Go to Control Panel > Administrative Tools > Component Services > Computers > right-click My Computer > click Properties > Default Settings tab:

  • Check Enable Distributed COM on this computer
  • Set Default Authentication Level to Connect
  • Set Default Impersonation Level to Identify

Go to Control Panel > Administrative Tools > Component Services > Computers > right-click My Computer > click Properties > click COM Security tab:

  • In Access Permissions section, click Edit Default > add the user created above (or currently logged in user), allow "Remote Access"
  • In Launch and Activation Permissions section > click Edit Default > add the user created above (or currently logged in user), allow "Local Launch", "Remote Launch", "Local Activation", "Remote Activation"

The Component Services section, to be more accurate, you can go to a specific component, and grant permission from there, instead of from "My Computer", which is a blanket grant

3. Configuring Windows Firewall

Sometimes the Windows Firewall will act up if not configured properly, so please make sure that you have either configured it for DCOM protocol or turned it off. Please note that the firewall issue will prevent all DCOM Windows applications to fail as well.

4. Disabling UAC

When User Access Control (UAC) is active, an administrator account actually has two security tokens, a normal user token, and an administrator token (which is only activated when you pass the UAC prompt). Unfortunately, remote requests that come in over the network get the normal user token for the administrator, and since there is no way to handle a UAC prompt remotely, the token can't be elevated to the true-administrator security token.

Thus, UAC should be disabled to allow remote DCOM access.

5. Installing Latest Updates

Please make sure that your Windows machine (where COM server is hosted) is up to date with all the Service packs and updates from Microsoft. Many a times issues are due to improper machine configuration.

Notes for Specific Versions of Windows

If the above instructions didn't help, check notes for specific versions of Windows below.

Configuring DCOM on Windows 2000

1. Click Start, click Run, and then type DCOMCNFG.

2. Click Default Properties. Select Enable Distributed COM on this computer. Set the Default Authentication Level to Connect (None also works). Set the Default Impersonation Level to Identify (Impersonate also works).

3. Click Default Security.

4. Under Default Access Permissions click Edit Default. Add SYSTEM and INTERACTIVE. The user whose authentication credentials will be used to access the COM application must also be included in this list. There are many ways to do this. You can add the specific user or simply add a group the user belongs to. Possible values include:

- DomainUsername (A specific user)

- DomainAdministrators (All administrators on a specific domain)

- Everyone (All users)

5. Under Default Launch Permissions click Edit Default. Make sure the Default Launch Permissions have the same values as the Default Access Permissions.

6. Click Default Protocols. Make sure Connection-oriented TCP/IP is listed first.

7. You must now configure the COM application you wish to access. Click Applications and right-click on the application you wish to configure. Select Properties. If your COM application is a DLL, you must first create a surrogate EXE for it using the SetDllHost tool. Once a surrogate EXE is created, the surrogate name will appear in the list of applications. Select Properties for the surrogate and continue on.

8. Click General. Set the Authentication Level to Default.

9. Click Location. Select Run application on this computer.

10. Click Security. Select Use default access permissions and Use default launch permissions.

11. Click Identity. Select The launching user. This setting specifies the account that will be used to run the COM application once it is launched by a client program. The launching user is the user account of the client process that launched the server, and is the recommended setting. Depending on the COM application you want to connect to, you may need to change this to:

- The interactive user - The user that is currently logged on to the machine hosting the COM application.

- This user - Specify a user account that will always be used to run the COM application regardless of which user is accessing it.

12. Click Endpoints. Select Default System Protocols.

13. If you still get an "Access Denied" or "Permission Denied" error after configuring your DCOM settings, try rebooting your machine to allow the new settings to take effect.

Configuring DCOM on Windows XP and Windows Server 2003

1. If the computer belongs to a workgroup instead of a domain, make sure that it does not use simple file sharing. Open Windows Explorer or double click My Computer, click Tools, then go to Folder Options, click View and uncheck Use simple file sharing (Recommended) in Advanced settings.

2. Click Start, click Programs, click Administrative Tools, click Component Services.

3. Expand Component Services, expand Computers, and right-click My Computer. Select Properties.

4. Click Default Properties. Select Enable Distributed COM on this computer. Set the Default Authentication Level to Connect (None also works). Set the Default Impersonation Level to Identify (Impersonate also works).

5. Click Default COM Security.

6. Under Default Access Permissions click Edit Default. Add SYSTEM, INTERACTIVE, and NETWORK. The user whose authentication credentials will be used to access the COM application must also be included in this list. There are many ways to do this. You can add the specific user or simply add a group the user belongs to. Possible values include:

- DomainUsername (A specific user)

- DomainAdministrators (All administrators on a specific domain)

- Everyone (All users)

7. Under Default Launch Permissions click Edit Default. Make sure the Default Launch Permissions have the same values as the Default Access Permissions.

8. Click Default Protocols. Make sure Connection-oriented TCP/IP is listed first.

9. You must now configure the COM application you wish to access. Expand Component Services, expand Computers, expand My Computer, and click DCOM Config. Right-click on the application you wish to configure. Select Properties. If your COM application is a DLL, you must first create a surrogate EXE for it using the SetDllHost tool. Once a surrogate EXE is created, the surrogate name will appear in the list of applications. Select Properties for the surrogate and continue on.

10. Click General. Set the Authentication Level to Default.

11. Click Location. Select Run application on this computer.

12. Click Security. Set Launch Permissions to Use Default. Set Access Permissions to Use Default. Set Configuration Permissions to Use Default.

13. Click Identity. Select The launching user. This setting specifies the account that will be used to run the COM application once it is launched by a client program. The launching user is the user account of the client process that launched the server, and is the recommended setting. Depending on the COM application you want to connect to, you may need to change this to:

         - The interactive user - The user that is currently logged on to the machine hosting the COM application.

         - This user - Specify a user account that will always be used to run the COM application regardless of which user is accessing it.

14. Click Endpoints. Select default system protocols.

15. If you still get an "access denied" or "permission denied" error after configuring your DCOM settings, try rebooting your machine to allow the new settings to take effect.

Configuring DCOM on Windows XP SP2

Microsoft has added some DCOM security enhancements to Windows XP Service Pack 2. In addition to the above Windows XP DCOM configuration settings, you will need to perform the following steps.

1. If the computer belongs to a workgroup instead of a domain, make sure that it does not use simple file sharing. Open Windows Explorer or double click My Computer, click Tools, then go to Folder Options, click View and uncheck Use simple file sharing (Recommended) in Advanced settings.

2. Click Start, click Programs, click Administrative Tools, click Component Services.

3. Expand Component Services, expand Computers, and right-click My Computer. Select Properties.

4. Click Default COM Security.

5. Under Default Access Permissions click Edit Default. Make sure SYSTEM, INTERACTIVE, NETWORK, and the user whose authentication credentials will be used to access the COM application all have Local and Remote Access permissions.

6. Under Default Access Permissions click Edit Limits. Service Pack 2 comes with the following default values: ANONYMOUS LOGON (Local Access) and Everyone (Local and Remote Access). Make sure these values are listed, and then add the user whose authentication credentials will be used to access the COM application. Allow this user to have Local and Remote Access permissions.

7. Under Default Launch Permissions click Edit Default. Make sure SYSTEM, INTERACTIVE, NETWORK, and the user whose authentication credentials will be used to access the COM application all have Local and Remote Launch permissions, as well as Local and Remote Activation permissions.

8. Under Default Launch Permissions click Edit Limits. Service Pack 2 comes with the following default values: MACHINEAdministrators (Local and Remote Launch, Local and Remote Activation) and Everyone (Local Launch and Local Activation). Make sure these values are listed, and then add the user whose authentication credentials will be used to access the COM application. Allow this user to have Local and Remote Launch permissions, as well as Local and Remote Activation permissions.

9. Service Pack 2 comes with a built-in Windows Firewall. If the firewall is turned on, you will have to allow your COM application network access to your machine. You can do this by opening Windows Firewall and adding your COM application to the list of programs under the Exceptions tab. If Display a notification when Windows Firewall blocks a program is selected, then you will be prompted to unblock the COM application when Iotellect Server accesses your DCOM server for the first time. Select Unblock when prompted.

10. If you still get an "access denied" or "permission denied" error after configuring your DCOM settings, try rebooting your machine to allow the new settings to take effect.

Was this page helpful?