Application authentication level for DCOM security

In response to

Microsoft

Distributed Component Object Model (DCOM) Hardening patch (MS KB5004442), the minimum DCOM authentication level used by

Rockwell Automation

products was raised to Packet Integrity.

IMPORTANT:

Installing this product’s latest version with earlier unpatched versions of other

FactoryTalk

products or products using Classic OPC DA connections may cause a loss of connectivity due to the difference in DCOM authentication level used. For additional information, see the Knowledgebase Document ID: IN39461 - Microsoft DCOM Hardening Information TOC.

Microsoft

releases the DCOM Hardening patch in response to CVE-2021-26414. This patch elevates the minimum DCOM authentication level that is required to establish a DCOM connection. DCOM is used by many

Rockwell Automation

products and may be affected by the change that is made by the

Microsoft

patch. For additional information about the affected

Rockwell Automation

products, see the Knowledgebase Document ID: PN1581 - Product Notification 2022-01-001 - Rockwell Automation products unable to establish proper DCOM connection after installing Microsoft DCOM Hardening patch (MS KB5004442).

Impact on

Rockwell Automation

software

If computers within your network have installed the

Microsoft

patch, the DCOM authentication level of the client or server applications on these computers is required to update to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, while the authentication level of applications on other computers is not. As a result, the communication across the two types of computers will fail.

TIP:

The distributed third-party OPC DA server and client applications are also impacted.

To ensure proper communication, the authentication level of both the server application and the client application should be at the same level.

Solutions

We recommend installing the latest version of

Rockwell Automation

software or installing the patch for the corresponding software version.

To avoid the compatibility issue, make sure all

Rockwell Automation

applications you use are updated.

If any computers within your network have not installed with the

Microsoft

patch or some

Rockwell Automation

applications are not updated to the latest version, you can lower the application authentication level on computers. To do so, do one of the following:

Remove the Microsoft DCOM patch from all workstations in the system.

Switch the DCOM authentication level on all workstations in the system using one of the following methods:

Use Registry Editor
.

FactoryTalk software

Open Registry Editor
, select HKEY_LOCAL_MACHINE
> SOFTWARE
> WOW6432Node
> Rockwell Software
> FactoryTalk
> Platform
, right-click DCOMAuthLevel
> Modify
, and then edit the Value data
to 1. The default value after upgrading the

Rockwell Automation

application is 5 (RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) and the former value is 1 (RPC_C_AUTHN_LEVEL_PKT_NONE).

RSLinx Classic software

Open Registry Editor
, select HKEY_LOCAL_MACHINE
> SOFTWARE
> WOW6432Node
> Rockwell Software
> RSLinx
, right-click DCOMAuthLevel
> Modify
, and then edit the Value data
to 1. The default value after upgrading the

Rockwell Automation

application is 5 (RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) and the former value is 1 (RPC_C_AUTHN_LEVEL_PKT_NONE).

Use the DCOMAuthLevel
utility.

Open DCOMAuthLevel
, select None (for backward compatibility)
, and then click OK
.

TIP:

The authentication level lower than 5 will not be supported after installing the

Microsoft

patch.

This utility will adjust the Authentication level for FactoryTalk Services Platform, FactoryTalk Live Data OPC DA client interface, FactoryTalk Linx Gateway OPC DA server interface, and RSLinx Classic’s OPC DA server interface.

The Windows Component Services DCOM configuration setting is not utilized or supported by FactoryTalk software or RSLinx Classic.

About OPC DA communication

As the distributed OPC DA server and client also use DCOM to communicate, the same issue might also appear. Do one of the following to resolve the issue:

The OPC DA interface for FactoryTalk Linx Gateway, FactoryTalk Live Data, and RSLinx Classic must be configured to utilize the appropriate DCOM authentication level to work with or without the Microsoft patch (described earlier).

Set the authentication level of third-party OPC DA server or client to the same level as the Rockwell Automation applications.

Lower the authentication level on computers that are installed with the patch as mentioned above.

Deploy the OPC DA server and client on the same computer.

Change the communication method from OPC DA to OPC UA.

Set DCOM authentication level of KEPServer Enterprise

When using KEPServer Enterprise, change the authentication level through the following:

Open Component Services
.

Double-click Console Root
> Component Services
> Computers
> My Computer
> DCOM Config
.

Right-click KEPServerEnterprise x.xx
and select Properties
.

On the General
tab, select the authentication level in Authentication Level
.

Click OK
and restart KEPServer Enterprise.

Workgroup and domain settings after the applications’ authentication level is required to be updated.

After the applications authentication level is adjusted to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, ensure all users in your network that contains

Rockwell Automation

software and third party OPC DA meet the requirement of DCOM for RPC_C_AUTHN_LEVEL_PKT_INTEGRITY:

Each workstation in a workgroup or a domain must have the same user accounts, with the same usernames and passwords on each machine, for all machines participating in a client-server environment.

For more information, see Microsoft documentation How to Configure a Domain User or Group.

Overview

Provide Feedback

Have questions or feedback about this documentation? Please submit your feedback here.