5 - Access denied. Username and/or password might be wrong.

[shutz-c0de]

Hi, I was trying to use this node on my Raspberry Pi, but I cannot get it to work.

I've setup and configured a Matrikon OPC Simulation Server on my W10 machine, I've created a user and added all the required permissions, however I always get the access denied error.

I've tried running the server on two different machine (W10), and on two different networks, with firewall off etc... And I always get this error: "5 - Access denied. Username and/or password might be wrong."

Obviously I've doubled checked the IP address, domain, user and password, same for the ProgId and ClsId. (Also tried different users)

Does anybody have any idea about what could cause this issue?

[steuck13]

Greetings There are a few known authentication problems when running the server on Windows. We'll release a fix for it as soon as we successfully identify where the problem lies. Ty for your report.

[shutz-c0de]

Thanks a lot for your feedback, do you know if there is any workarounds in the meantime?

[Tesla76]

Hello I had the same problem with a CoDesys OPC-DA server today. My first guess was that the error is that this server apparently does not support authentication. Unfortunately, a user and password must be entered for the contrib-opc-da plugin, or is there perhaps another way? (The Matrikon OPC Client and the Kassl OPC Explorer works well with this setup) Thanks in advance !

[steuck13]

Greetings Is your CoDesys running on W10? How is the dcom configuration for this machine? Ty for your report

[Tesla76]

Hello steuck13, Thanks for your feedback. CoDesys OPC DA Server and Node Red are running on the same Windows Server 2016 VM. (As i wrote, the Matrikon OPC Client and the Kassl OPC Explorer works well with this setup) DCOM settings were done, as in the CoDesys manual described. The Error is always: "5 - Access denied. Username and/or password might be wrong." The question is, what i have to set for Username and password, since there is no authentication supported in the server

[sniicker]

Same problem here!

OPC DA Server without Username and PW.

How can we handle this usecase?

[yahanda]

+1 i have the same problem. anyone have idea for this problem?

[calumk]

+1 for this issue

[ralph1987dm]

+1 for this issue

[robbudge]

Same Problem

[adonnelly759]

+1 for this issue

[sevenclockseven]

需要修改opcserver服务器的组策略

[WarmBoot]

Similar situation here, too.

In this case, a fully patched and updated Win10 22H2 VM with both MatrikonOPC Server and MatrikonOPC Explorer on the same machine. MatrikonOPC Explorer can read tags from the MatrikonOPC Server.

But Node-RED, is throwing an "Access Denied" error:

The node configuration is:

For "IP Address", I've also tried "localhost". For "Domain", I've also tried "WORKGROUP". For "Username", I've also tried ".\user".

Under Component Services, the Matrikon OPC Server is set to an auth level of "Packet Integrity":

Its COM Security "Access Permissions" have local and remove "allow" permissions set for more users and groups than truly necessary (I'll go back later and batten down the hatches):

COM Security "Launch and Activation Permissions" are similarly wide open:

The auth level for MatrikonOPC Server is set to "Packet Integrity":

Location is set to "Run application on this computer":

Launch and Activation Permissions set to "allow" for more groups and users than necessary:

Likewise Access Permissions:

and Change Configuration Permissions:

OPCEnum's auth level is set to "Packet Integrity":

Location set to "Run application on this computer":

Change Configuration Permissions set to "allow" for the usual users and groups:

Launch and Activation permissions set to "allow":

Even the OPC Enum x64 Category Manager is similarly set (I'm only showing the "General" tab for brevity):

The user name is "user" and is a member of Administrators and DCOM Users (as well as being specifically named in the above permission settings):

When the "Access Denied" error occurs, sadly there's not any accompanying clarifying error in the System Event Log:

And the Windows Firewall is "off":

I'm using 32-bit Python 3.11:

Node-RED version is 3.0.2 and node-red-contrib-opc-da is 1.0.4:

I suspect that the "access denied" error may be misleading and that the true problem could have nothing to do with the userid/password, but I don't know what else to check.

In the post KB5004442 world after March 2023, has anyone gotten this working, specifically with both client and server pieces on a Win10 machine? There's not a message in the Event Log regarding "activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application" and it seems that the activation level requirement is met, but...

Any clues, directions, corrections will be greatly appreciated!

Thanks and regards, Jim

[schmavid]

@WarmBoot Thanks for listing everything that I also tried... Though I do not have a solution. Did you get this resolved in the end?

[WarmBoot]

@schmavid No further progress, sorry. The next thing I plan to try is doing all this on an unpatched Windows 10 32-bit system that has never had KB5004442 applied. I at least want to see it work. I may then gradually apply updates until it stops working and see what it takes to get it working again.

Or, I may punt on Window 10 althgether and try it on a Windows 7 32-bit machine. That may be the more useful scenario anyway, since any OPC/DA's in the wild may be more likely to be on Windows 7 than on Windows 10.

It may be a few weeks before I get back to tinkering with OPC/DA. Thanks for the ping, it's good to there's someone else interested in this.

Thanks and regards, Jim

[schmavid]

@WarmBoot Did you try to disable the hardening change by setting the registry key? https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

[WarmBoot]

@schmavid I'll have to check my notes, but I think I did try that early on. When I get back into OPC/DA, I'll give that anotehr try.

Thanks and regards, Jim

[InstantlyMoist]

Hey there, any news on this issue @WarmBoot . Bumping into somewhat the same issue right now.

[WarmBoot]

Hi @InstantlyMoist, sorry no news on my end. Other tasks keep getting into the queue ahead of revisiting OPC/DA.

Thanks and regards, Jim

[schmavid]

Be aware that since the update KB5004442 DCOM requires clients to use the authentication level "packet integrity" (RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). This authentication level seems not to be implemented in this Node Red DCOM client library and it will therefore not be possible to connect.

The DCOM hardening of KB5004442 was introduced in several steps. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26414

1. Since June 14, 2022 RPC_C_AUTHN_LEVEL_PKT_INTEGRITY was enabled by default in DCOM servers. It could still be disabled with the registry key RequireIntegrityActivationAuthenticationLevel
2. Since March 14, 2023 RPC_C_AUTHN_LEVEL_PKT_INTEGRITY is enabled by default and can not be disabled anymore!

The usage of authentication level "packet integrity" is now enforced and any OPC DA client library that was not adjusted to that change will now fail to connect.

[InstantlyMoist]

Be aware that since the update KB5004442 DCOM requires clients to use the authentication level "packet integrity" (RPC_C_AUTHN_LEVEL_PKT_INTEGRITY).

This authentication level seems not to be implemented in this Node Red DCOM client library and it will therefore not be possible to connect.

The DCOM hardening of KB5004442 was introduced in several steps. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26414

1. Since June 14, 2022 RPC_C_AUTHN_LEVEL_PKT_INTEGRITY was enabled by default in DCOM servers. It could still be disabled with the registry key RequireIntegrityActivationAuthenticationLevel

2. Since March 14, 2023 RPC_C_AUTHN_LEVEL_PKT_INTEGRITY is enabled by default and can not be disabled anymore!

The usage of authentication level "packet integrity" is now enforced and any OPC DA client library that was not adjusted to that change will now fail to connect.

Do you by any chance know any replacement library? Any library/language is welcome. Have to get this to work somehow for my internship. Been trying this library for a few days now and finally I understand why it doesn't work haha.

[schmavid]

@InstantlyMoist I am sorry, unfortunately I do not know any replacement by now.

[InstantlyMoist]

@schmavid would this problem still persist if I was attempting to log in locally?

[schmavid]

@InstantlyMoist Sorry, I am not deep enough into the matter to give you an answer to that.

[WarmBoot]

@WarmBoot Did you try to disable the hardening change by setting the registry key? https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

Hi @schmavid, I did see that option and tried it unsuccessfully in July. Unfortunately, by that time the March 14, 2023 "third phase" start date where DCOM hardening could no longer be disabled, had passed:

The CVE at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26414 gave a bit more detail:

I've just tried it again this morning and the DCOM hardening still can't be turned off.

[WarmBoot]

@schmavid would this problem still persist if I was attempting to log in locally?

Hi @InstantlyMoist, Yes, I believe it does. All my attempts have been with everything running within a single Win10 VM.