Failed to connect to the server error because of Server Configuration - Client Access Control List

geoffpatton · ‎2021-01-20

Just thought I would share this in case anyone else finds themselves in this situation.

My customer called and he was getting failed to connect to the server errors from ViewX and Server Configuration.

He was trying to get a remote OPC connection working on his own and one thing he tried was enabling the

Client Access Control List in the Server Configuration. Turns out he did not have any IP addressing set in the list.

We fixed his from the registry by setting ClientAccessControlListEnabled to False and restarting the database service.

Not having used this setting before I was curious so I tried a few things on my development system, and found that if the node name in Configure Connections was set to localhost or 127.0.0.1 I could still connect.

When using the server's IP address for the node name the IP address had to be in the list to connect (this is what I expected).

I could not use the computer name for the node name. I assume that is because you can only specify IP addresses in the Client Access Control List.

My customer was also using the computer's name for his node name so he would have been in trouble even if he set the IP in the list.

BevanWeiss · ‎2021-01-20

I would have expected that even with 'Client Access Control List' enabled, local ViewX / Server Configuration / Server Status connections (i.e. from the machine running GeoSCADA) would have been allowed.

Otherwise that would be a real easy way to lock yourself out from the database, and hand editing of the registry would be required to fix that up.

Interesting that the node name came into it though.

I would have thought a client on the server could refer to the server as anything it wanted (e.g. localhost, 127.0.0.1, fred, scadaserver01, etc) and as long as the client was still launched from the local host it would have been allowed.

Lead Control Systems Engineer for Alliance Automation (VIC).
All opinions are my own and do not represent the opinions or policies of my employer, or of my cat..

geoffpatton · ‎2021-01-21

I was also surprised at the behavior which is why I tested all the scenarios I could think of. In the future I know localhost or 127.0.0.1 will work so I can just change to that to fix things and then keep out of the registry.

I can believe that there is an underlying reason that makes allowing any defined local connection from the local not feasible. However a warning in the server configuration tool might be a good idea and the help does not say anything about this that I can find.

I also don't have a client so I did not test if a Client has to have its connection's node name set to the server's IP address.

Anonymous user · ‎2021-01-21

Thank you for sharing! Wery interesting "Feature" )