on 10-27-2009 10:29 AM
Hi all,
since I changed my password yesterday, my user is locked continuously in our BI-System.
In the syslog I can see, that my User is locked.
In the user-column I see the user SAPJSF.
Seems to have something to do with our portal on the same system!?
How can I figure out, where the wrong logins come from?
Best regards
Davor
When the UME of the Java AS stack is using the ABAP AS as its datasource, any user whos password gets locked will appear as SAP_JSF in the ABAP audit logs. Unfortunately it is not always easy to determine where the invalid credentials are orginating, especially without OS level access!
The first thing we will need to get is security tracing from the failed authentication attempt. If the Web Diagtool (see note 1045019) is already on the system, you can start an authentication as outlined in example 3 of the note. Otherwise you'll need to use the NWA to change the trace severity of the relevant trace locations manually
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
1. Open the SAP NetWeaver Administrator
2. Choose System Management - Configuration - Log Configuration.
3. From the Show dropdown box, select Tracing Locations.
4. For Locations com.sap.engine.services.security
com.sap.security.core.server.jaas
com.sap.security.core.ticket
com.sap.security.core.util
in the column Severity, choose ALL
5. In order this severity level to be valid for all the children locations, choose Copy to Subtree.
6. Choose Save Configuration.
Next we want to activate HTTP Tracing on the dispatcher by setting the value of property HttpTrace to enable (so we can see the request with the invalid credentials if it is arriving of http/https)
The note for this is 724719 but as you do not have OS level access, you can't use the VA and you will have to use the NWA.
Follow the procedure here http://help.sap.com/saphelp_nw70/helpdata/en/18/5157425e060d53e10000000a155106/content.htm
to set httptrace to 'enable'
When you have established that your user password has become locked, stop the web diagtool trace if you have used it.
Either in the web diagtool log or in the defaultTraces of the servers on the instance you should find a trace entry like
Guest | USERACCOUNT.MODIFY | UACC.PRIVATE_DATASOURCE.un:myuser | myuser | SET_ATTRIBUTE: lockreason=[1], SET_ATTRIBUTE: islocked=[true]
You'll see the authentication stack used e.g
LOGIN.FAILED
User: N/A
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
EvaluateTicketLoginModule SUFFICIENT ok false true
BasicPasswordLoginModule REQUISITE ok exception true Authentication did not succeed.
CreateTicketLoginModule OPTIONAL ok
You'll also see an entry like the following from location com.sap.security.core.util.SecurityAudit
Guest | LOGIN.ERROR | null | | Login Method=default, Host= 10.xx.xx.xx, UserID=myUser, IP Address= 10.xx.xx.xxx Reason= Authentication did not succeed.
So the IP address can be obtained here (if not set the ume parameter Ume.logon.security_policy.log_client_hostaddress
and ume.logon.security_policy.log_client_hostname to true and repeat all the above steps)
So now you have an idea where the request originates and what login module stack is invoked to authenitcate the user
If the request comes over http/https we can check the req_res.trc mentioned in note 724719 to match the http request written there to the LOGIN.FAILED message in the defaultTrace or Web Diagtool
e.g
[1253029639093]<Timestamp that matches the time of the LOGIN.ERROR in the web diagtool log> - CLIENT: 4096, REQUEST:
{POST /useradmin HTTP/1.1
Host: <hostname>:50300
Authorization: Basic cGFzc3dvcmQ=
Content-Length: 798598
User-Agent: Mozilla/4.0
Content-Type: text/xml; charset="utf-8"
Authorization: Basic cGFzc3dvcmQ= contains the base64 encoded password, so if decode it to get the incorrect password
So now we will be able to see the request URL, the application requested and the password
Unfortunately if the request with the invalid credentials arrives over some other protocol the req_req.trc is of no use and other tracing methods are reuired which I cannot go into detail here
Sorry, I had to divide my answer over 3 replies due to the crazy formatting of the forum
I can´t figure out my username in any RFC-Destination (table RFCDES).
Could you please provide me, how to check the RFC JCO provider?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Also, check in all RFC's in JCO RFC Provider in visual admin whether all RFC is running or not ?'
Thanks
Sunny
Edited by: Sunny Pahuja on Oct 27, 2009 9:10 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Have you defined the same user in any of the RFC's. Change the password in the defined RFC also.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.