Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Users Logon to SRM with SSO but SAPGUI User ID Gets Locked

Go to solution
Former Member

‎03-18-2011 4:38 PM

0 Kudos

Our buyers' user IDs get locked in SRM SAPgui production system but they can still use single sign on to logon to SRM in the Portal. What could they be doing to lock their passwords for multiple incorrect attempts since they are logged on automatically to SRM system with their network ID? I find out about it when the buyer cannot be added as an additional approver in a shopping cart.

Thank you,

Cynthia

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎03-21-2011 9:34 AM

0 Kudos

Hi,

Did you set a mandatory password change each x months or weeks ?

We had this setup and the users got locked because of this.

Our solution was to disable the users passwords. They use spnego/Kerberos SSO for HTML access and snc SSO for sapgui access.

Regards,

Olivier

8 REPLIES 8

Go to solution
Former Member

‎03-21-2011 9:34 AM

0 Kudos

Hi,

Did you set a mandatory password change each x months or weeks ?

We had this setup and the users got locked because of this.

Our solution was to disable the users passwords. They use spnego/Kerberos SSO for HTML access and snc SSO for sapgui access.

Regards,

Olivier

Go to solution
Former Member
In response to Former Member

‎03-22-2011 6:01 PM

0 Kudos

We will be disabling passwords for the end users in the SAPgui.

Thank you all for your input.

Best regards,

Cynthia

Go to solution
Former Member
In response to Former Member

‎03-31-2011 6:54 AM

0 Kudos

Hi Cynthia,

I am also facing a similar issue in my system (users who existed on the system prior to SSO implementation gets password change prompt even after SSO is up and running). For these users as well, I need to disable passwords.

1.Can you help me with how you disbaled passwords for many users at one go in GUI?

2. Where did you check the password state (active/de-active) of the users in general?

(I saw USR02-->PWDSTATE but not very sure if that is the right field to check).

Soumya

Go to solution
Former Member
In response to Former Member

‎03-31-2011 5:20 PM

0 Kudos

Soumya,

The field USR02-UFLAG will show if users are locked. Value 128 is locked for multiple attempts. We are going to write a conversion program using function BAPI_USER_CHANGE to mass change all the SU01 users. You can read more about this BAPI at this link:

Good luck!

Cynthia

Go to solution
Former Member

‎03-21-2011 10:32 AM

0 Kudos

Hello,

Just check user attribute and and details.. it it locked what kind of lock9Admin or incorrect log on lock..

Thanks,

PKP

Edited by: Prasant Ku Paichha on Mar 21, 2011 12:22 PM

Go to solution
Bernhard_SAP
Employee
Employee

‎03-21-2011 10:54 AM

0 Kudos 
Cynthia Servais wrote:
Our buyers' user IDs get locked in SRM SAPgui production system but they can still use single sign on to logon to SRM in the Portal.

HI Cynthia,

are you sure, that the users get locked (wrong passwords would cause a usr02-uflag value of 128), or are their passwords deactivated only?

Have a look at the parameter login/password_change_for_SSO (note 441452). Maybe its set to '3'....

b.rgds, Bernhard

Go to solution
Former Member

‎03-21-2011 4:20 PM

0 Kudos

Thank you all for your suggestions. I have forwarded this info to our security analyst and will let you know ASAP what the solution is. By the way, the usr02-uflag value is 128 for the locked users.

Best regards,

Cynthia

Go to solution
Former Member
In response to Former Member

‎03-22-2011 10:34 AM

0 Kudos

Hello,

Since i was looking into sam FAQS, here found this may be helpful for you.

Thanks,

PKP