We recently added another client to our Ignition OPC-UA server. We had some issues setting up the client which are already addressed in other posts but eventually they connected properly.
A little while later we discovered our loopback connection had faulted and would not connect.
The original error was "no matching endpoints found", so we went through discovery again and retried the connection.
The new error after this was "Bad_UserAccessDenied", but nobody had changed the password on opcuauser. Just to be sure, we set the password for the opcuauser and in the connection multiple times, but the error remained. Meanwhile the 3rd party client was connected just fine with that same user.
Our sister location was having similar issues, only in their case the 3rd party client was refusing to connect so they set up a separate user for that client.
We tried making a separate user for our loopback connection and it worked right away.
Is it the case that the OPC-UA server rejects multiple connections from the same user? It makes sense from a security standpoint to give every client its own credentials but I couldn't find the explicit rejection documented anywhere.
Maybe look at the OPC UA server settings (not the connection) and make sure nobody changed the authentication profile to something else.
Also note that any changes to server settings require a restart, and it's possible somebody made changes, never restarted, then a later restart caused them to go into effect.
1 Like
Is that a restart of the OPC UA Module or a restart of the entire gateway?
Our authentication profile is set to None thanks to the client not ever connecting when authentication was enabled (despite the client offering Basic256Sha256 as an option). We restarted the module every time we changed a setting.
Module or Gateway should suffice.
It sounds like you are mixing up Security Policy / Mode and Authentication Profile, though.
Oh sorry, I did mean Security Policy. Our Authentication Profile (or rather user source) is set to opcua-module as per default, and had only the default opcuauser. The only change was that the password had been changed from the default password some time ago but had never caused any issues.
Ok the setting is actually called "User Source" I guess: Ignition's OPC UA Server | Ignition User Manual
Anyway, my point is, the only way you get "Bad_UserAccessDenied" out of the blue is:
- somebody disabled anonymous access, and your connection was configured for anonymous access
- somebody changed the username or password on the connection config
- somebody changed the user source / auth profile on the server config
1 Like
I'll have to experiment further on one of our test gateways. It's weird that setting the password on opcuauser and on the connection didn't fix it if it's just a changed password.
It may be that someone changed a setting and didn't restart the module, but we restarted the module as part of troubleshooting (after checking that the authentication settings were all as expected) and didn't resolve the issue.