Validity: valid since 14.10.2010
Symptom
- During an (RFC) logon, the system displays the following text:"You are not authorized to logon to the target system (error code...)"
with an error code number whose meaning is unclear to you.
- You find the following unfamiliar lines in the developer trace file (dev_w..):
DyISigni: client=..., user=..., lang=... , access=..., auth=...
usrexist: effective authentification method: ....DyISigni: return code=... (see Note 320991)
RFC logon error code
Reason and Prerequisites
The extended trace messages (starting from trace level 2, for the "Security" component, you can activate them dynamically using transaction SM50) are available starting from the following kernel versions:
- 4.6D kernel starting from patch level 141
- 4.5B kernel starting from patch level 506
Explanation of the error codes / return codes
0 No error - successful logon
1 Incorrect logon data (client, user name, password)
2 User is locked (by the administrator or on account of failed logon attempts)
3 Incorrect logon data; for SAPGUI: connection closed
4 Logon using emergency user SAP* (refer to Note 2383)
5 Error when constructing the user buffer (==> possibly a follow-on error!)
6 User only exists in the central user administration (CUA)
7 Invalid user type
8 User account outside validity period
9 SNC name and specified user/client do not match
10 Logon requires SNC (Secure Network Communication)
11 No SAP user with this SNC identification in the system
12 ACL entry for SNC-secured server-server link is missing
13 No suitable SAP account found for the SNC name
14 Ambiguous assignment of SNC names to SAP accounts
20 Logon using logon ticket is deactivated
21 Syntax error in the received logon ticket
22 Digital signature check for logon ticket fails
23 Logon ticket issuer is not in the ACL table
24 Logon ticket is no longer valid
26 Ticket contains no/an empty ABAP user ID
30 Logon using X.509 certificate is generally deactivated
31 Syntax error in the received X.509 certificate
32 X.509 certificate does not originate from the Internet Transaction Server
34 No appropriate SAP account found for the X.509 certificate
35 Ambiguous assignment of X.509 certificate to SAP accounts
41 No suitable SAP account found for the external ID
42 Ambiguous assignment of external ID to SAP accounts
50 Password logon is deactivated
51 Initial password has not been used for too long
52 User does not have a password
53 Password lock active (too many failed logons)
54 Productive password has not been used for too long
100 Client does not exist
101 Client is currently locked for logons (upgrade running)
1001 Password has expired - interactive change required (RFC/ICF)
Explanations for "access" and "auth":
access=A ==> dialog logon
access=B ==> background processing (batch)
access=C ==> CPIC
access=F ==> RFC (from 4.6C: internal RFC)
access=R ==> RFC (from 4.6C: external RFC)
access=S ==> RFC system call (SRFC) (from 4.6C)
access=U ==> user switch (internal call) (from 4.6C)
access=H ==> HTTP (from 5.0A)
access=u ==> restore session (ABAP class CL_USERINFO_DATA_BINDING)
access=' ' ==> API call (for example, SUSR_CHECK_LOGON_DATA)
auth=P ==> password-based authentication (standard)
auth=T ==> mySAP.com logon ticket (refer to Note 177895)
auth=X ==> X.509 client certificate (from 4.5A)
auth=E ==> external authentication (PAS, SAML, ...)
auth=S ==> SNC (refer to Notes 66687 or 121178)
auth=R ==> internal RFC or trusted system RFC
auth=A ==> internal call on account of background processing
auth=U ==> inverse user switch (ABAP class CL_USER_POC)
Solution
How should users or user administrators react to the error messages (code numbers) described above?
1 Incorrect logon data (client, user name, password)
User: check the logon data entered (enter data again)
Admin: check the logon data for the service users, for example in the ITS service file
(usually wrong client) or in the RFC destinations
(usually wrong password)
2 User is locked (by administrator or on account of failed logons)
User: Contact user administrator / helpdesk
Admin: Release lock(s) (transaction SU01)
3 Incorrect logon data; for SAPGUI: connection closed
see 1
4 Logon using emergency user SAP* (refer to Note 2383)
User: no error - logon successful
Admin: deactivate the automatic user SAP* if necessary
(Note 68048)
5 Error when constructing the user buffer (==> possibly a follow-on error!)
User: Contact user administrator / helpdesk
Admin: solve technical problem (refer to Note 10187)
6 User only exists in the central user administration (CUA)
User: check the logon data entered (enter data again)
Admin: check settings for the central user administration
(refer to Note 159885)
7 Invalid user type
User: check the logon data entered (enter data again)
Admin: change user type (transaction SU01)
8 User account outside validity period
User: Contact user administrator / helpdesk
Admin: change validity period (transaction SU01)
9 SNC name and specified user/client do not match
User: check the logon data entered (enter data again)
Admin: change SNC assignment if necessary (transaction SU01)
10 Logon requires SNC (Secure Network Communication)
User: Contact system administrator / helpdesk
Admin: check SNC settings (refer to "SNC User's Guide")
11 No SAP user with this SNC identification in the system
User: Contact system administrator / helpdesk
Admin: if necessary, enhance or correct SNC name mapping ==> R/3 account (table USRACL(EXT))
(transaction SU01)
(see: SAPnet - http://service.sap.com/security:
-> Security in Detail -> Infrastructure Security:
"SNC User's Guide")
12 ACL entry for SNC-secured server-server link is missing
User: Contact system administrator / helpdesk
Admin: if necessary, enhance or correct SNC name mapping ==> access types (table SNCSYSACL)
(transaction SNC0).
This setting is necessary for
X.509 certificate logons, external IDs or
SNC-secured system-system links (RFC)
(see: SAPnet - http://service.sap.com/security:
-> Security in Detail -> Secure User Access -> Authentication & Single Sign-On:
"SNC User's Guide" or
"X.509 Certificate Logon via the ITS")
13 No suitable SAP account found for the SNC name
User: Contact system administrator / helpdesk
Admin: see Section 11 (=> Note 650347)
14 Ambiguous assignment of SNC names to SAP accounts
User: Contact system administrator / helpdesk
Admin: see Section 11 (=> Note 650347)
20 Logon using logon ticket is deactivated
User: Contact system administrator / helpdesk
Admin: Set profile parameter login/accept_sso2_ticket = 1
(Refer to Note 177895 - Technical Prerequisites)
21 Syntax error in the received logon ticket
User: Contact system administrator / helpdesk
Admin: analyze the error by trace (Level 2, only "Security" component)
contact the SAP Hotline if necessary (BC-SEC)
22 Digital signature check for logon ticket fails
User: Contact system administrator / helpdesk
Admin: analyze the error by trace (Level 2, only "Security" component)
check settings using transaction SS02,
(configuration error, refer to Note 177895),
contact SAP Hotline if necessary (BC-SEC-SSF)
23 Logon ticket issuer is not in the ACL table
User: Contact system administrator / helpdesk
Admin: analyze the error by trace (Level 2, only "Security" component)
check settings using transaction SS02
(configuration error, ACL table: TWPSSO2ACL,
see Note 177895)
24 Logon ticket is no longer valid
User: log on to the Workplace server (ticket issuer) again
Admin: extend the ticket validity period if necessary
(profile parameter login/ticket_expiration_time)
26 Ticket contains no/an empty ABAP user ID
See Note 1159962.
30 Logon using X.509 certificate is generally deactivated
User: Contact system administrator / helpdesk
Admin: set profile parameter snc/extid_login_diag = 1 if necessary
(see: SAPnet - http://service.sap.com/security:
-> Security in Detail -> Secure User Access -> Authentication & Single Sign-On:
"X.509 Certificate Logon via the ITS")
31 Syntax error in the received X.509 certificate
User: Contact system administrator / helpdesk
Admin: analyze the error by trace (Level 2, only "Security" component)
contact SAP Hotline if necessary (BC-SEC-SSF)
32 X.509 certificate does not originate from the Internet Transaction Server
User: Contact system administrator / helpdesk
Admin: Check the configuration - this error is very rare,
analyze the error by trace (Level 2, only "Security" component)
contact the SAP Hotline if necessary (BC-SEC)
34 No appropriate SAP account found for the X.509 certificate
User: Contact system administrator / helpdesk
Admin: Check the X.509 certificate mapping ==> R/3-Account
(Table USREXTID, TYPE=DN using view VUSREXTID, SM30),
analyze the error by trace (Level 2, only "Security" component)
(display X.509 certificate contents).
(see: SAPnet - http://service.sap.com/security:
-> Security in Detail -> Secure User Access -> Authentication & Single Sign-On:
"X.509 Certificate Logon via the ITS")
35 Ambiguous assignment of X.509 certificate to SAP account
User: Contact system administrator / helpdesk
Admin: Check the X.509 certificate mapping ==> R/3-Account
(as for error code 34), alternatively you can enter
USER=* as part of the logon process (RFC) and thereby force the mapping onto the
"selected" entry (No. 000).
41 No suitable SAP account found for the external ID
--- analogous to error code 34, difference: different TYPE assignment
42 Ambiguous assignment of external ID to SAP accounts
--- analogous to error code 35, difference: different TYPE assignment
50 Password logon is deactivated
User: contact system administrator / helpdesk or
use other logon variant (=> Single Sign-On)
Admin: see note 379081: Profile parameters
- login/disable_password_logon
- login/password_logon_usergroup
51 Initial password has not been used for too long
User: Contact user administrator / helpdesk
Admin: assign new password (transaction SU01)
see note 379081: Profile parameters
- login/password_max_new_valid
- login/password_max_reset_valid
- login/password_max_idle_initial (from 7.00)
52 User does not have a password
User: Contact user administrator / helpdesk
Admin: assign new password (transaction SU01)
53 Password lock active (too many failed logons)
User: Contact user administrator / helpdesk
Admin: release lock and assign new password if necessary
see note 939017: Distinction between types of locks
54 Productive password has not been used for too long
User: Contact user administrator / helpdesk
Admin: assign new password (transaction SU01)
see note 862989: Profile parameter
- login/password_max_idle_productive
100 Client does not exist
User: check the logon data entered (enter data again)
Admin: check the logon data for the service users, for example in the ITS service file
or in the RFC destinations (client specification)
101 Client is currently locked for logons (upgrade running)
User: contact system administrator / helpdesk or
carry out logon at a later stage
Admin: See Note 12946.
1001 Password has expired - interactive change required (RFC/ICF)
User: Contact system administrator / helpdesk
Admin: set profile parameter rfc/reject_expired_passwd = 0 or
profile parameter icf/reject_expired_passwd = 0
(see Notes 161146 and 454962)
Sap Basis And Security: Sap Note 320991 - Error Codes During Logon (List) >>>>> Download Now
ReplyDelete>>>>> Download Full
Sap Basis And Security: Sap Note 320991 - Error Codes During Logon (List) >>>>> Download LINK
>>>>> Download Now
Sap Basis And Security: Sap Note 320991 - Error Codes During Logon (List) >>>>> Download Full
>>>>> Download LINK