cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

User locked continously

Former Member

on ‎10-27-2009 10:29 AM

0 Kudos

Hi all,

since I changed my password yesterday, my user is locked continuously in our BI-System.

In the syslog I can see, that my User is locked.

In the user-column I see the user SAPJSF.

Seems to have something to do with our portal on the same system!?

How can I figure out, where the wrong logins come from?

Best regards

Davor

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

former_member432219
Active Participant
‎11-02-2009 10:49 PM
0 Kudos

When the UME of the Java AS stack is using the ABAP AS as its datasource, any user whos password gets locked will appear as SAP_JSF in the ABAP audit logs. Unfortunately it is not always easy to determine where the invalid credentials are orginating, especially without OS level access!

The first thing we will need to get is security tracing from the failed authentication attempt. If the Web Diagtool (see note 1045019) is already on the system, you can start an authentication as outlined in example 3 of the note. Otherwise you'll need to use the NWA to change the trace severity of the relevant trace locations manually

Show replies
Show replies
former_member432219
Active Participant
‎11-02-2009 11:00 PM
0 Kudos

1. Open the SAP NetWeaver Administrator

2. Choose System Management - Configuration - Log Configuration.

3. From the Show dropdown box, select Tracing Locations.

4. For Locations com.sap.engine.services.security

com.sap.security.core.server.jaas

com.sap.security.core.ticket

com.sap.security.core.util

in the column Severity, choose ALL

5. In order this severity level to be valid for all the children locations, choose Copy to Subtree.

6. Choose Save Configuration.

Next we want to activate HTTP Tracing on the dispatcher by setting the value of property HttpTrace to enable (so we can see the request with the invalid credentials if it is arriving of http/https)

The note for this is 724719 but as you do not have OS level access, you can't use the VA and you will have to use the NWA.

Follow the procedure here http://help.sap.com/saphelp_nw70/helpdata/en/18/5157425e060d53e10000000a155106/content.htm

to set httptrace to 'enable'

When you have established that your user password has become locked, stop the web diagtool trace if you have used it.

Either in the web diagtool log or in the defaultTraces of the servers on the instance you should find a trace entry like

Guest | USERACCOUNT.MODIFY | UACC.PRIVATE_DATASOURCE.un:myuser | myuser | SET_ATTRIBUTE: lockreason=[1], SET_ATTRIBUTE: islocked=[true]

You'll see the authentication stack used e.g

LOGIN.FAILED

User: N/A

Authentication Stack: ticket

Login Module Flag Initialize Login Commit Abort Details

EvaluateTicketLoginModule SUFFICIENT ok false true

BasicPasswordLoginModule REQUISITE ok exception true Authentication did not succeed.

CreateTicketLoginModule OPTIONAL ok

former_member432219
Active Participant
‎11-02-2009 11:04 PM
0 Kudos

You'll also see an entry like the following from location com.sap.security.core.util.SecurityAudit

Guest | LOGIN.ERROR | null | | Login Method=default, Host= 10.xx.xx.xx, UserID=myUser, IP Address= 10.xx.xx.xxx Reason= Authentication did not succeed.

So the IP address can be obtained here (if not set the ume parameter Ume.logon.security_policy.log_client_hostaddress

and ume.logon.security_policy.log_client_hostname to true and repeat all the above steps)

So now you have an idea where the request originates and what login module stack is invoked to authenitcate the user

If the request comes over http/https we can check the req_res.trc mentioned in note 724719 to match the http request written there to the LOGIN.FAILED message in the defaultTrace or Web Diagtool

e.g

[1253029639093]<Timestamp that matches the time of the LOGIN.ERROR in the web diagtool log> - CLIENT: 4096, REQUEST:

{POST /useradmin HTTP/1.1

Host: <hostname>:50300

Authorization: Basic cGFzc3dvcmQ=

Content-Length: 798598

User-Agent: Mozilla/4.0

Content-Type: text/xml; charset="utf-8"

Authorization: Basic cGFzc3dvcmQ= contains the base64 encoded password, so if decode it to get the incorrect password

So now we will be able to see the request URL, the application requested and the password

Unfortunately if the request with the invalid credentials arrives over some other protocol the req_req.trc is of no use and other tracing methods are reuired which I cannot go into detail here

Sorry, I had to divide my answer over 3 replies due to the crazy formatting of the forum

Former Member
‎10-28-2009 8:29 AM
0 Kudos

I can´t figure out my username in any RFC-Destination (table RFCDES).

Could you please provide me, how to check the RFC JCO provider?

Show replies
Show replies
Former Member
‎10-29-2009 9:50 AM
0 Kudos

You check in Visual admin, server--> services --> JCO Provider.

Former Member
‎11-02-2009 7:19 AM
0 Kudos

Unfortunately we have no os-access to our systems (outsourced).

Is there a possibility to check in nwa?

Former Member
‎11-02-2009 12:02 PM
0 Kudos

Hello,

Exactly you can find the destination under Infrastructure - Destinations or under JCo Destinations.

Regards,

Hasena

sunny_pahuja2
Active Contributor
‎10-27-2009 8:10 PM
0 Kudos

Hi,

Also, check in all RFC's in JCO RFC Provider in visual admin whether all RFC is running or not ?'

Thanks

Sunny

Edited by: Sunny Pahuja on Oct 27, 2009 9:10 PM

Show replies
Show replies
Former Member
‎10-27-2009 11:45 AM
0 Kudos

Have you defined the same user in any of the RFC's. Change the password in the defined RFC also.

Show replies
Show replies
Ask a Question