cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SLD User gets locked; four unsuccessful logons every 15 minutes

monika_eggers
Active Participant

on ‎08-18-2011 1:59 PM

0 Kudos

I have a landscape with a PI with the SLD on it. I defined a user with the name SLDUSER and the appropriate authorizations. The PI is a Unicode system, like all systems in the landscape.

There were already some application servers (CRM, Banking Services, Composition Environment) connecting to this SLD and everything went fine.

Now I added another application server, an ERP, for FI-CAx (NW 7.02). As the business partners are distributed via XI through the PI system, the ERP needs to connect to the SLD, too.

I set it up as usual:

- sldapicust: host, port, SLDUSER, password. (What is weird is that there is no test button as in all the other systems ... maybe that depends on the installed EhPs.)

- This generated the destinations (type T = TCP/IP) SLD_UC and SLD_NUC automatically.

- I created destinations SAPSLDAPI and LCRSAPRFC manually in sm59, type T = TCP/IP, set them to Unicode, entered the same (two different) Registered Server Programs that are used in these destinations on all the other servers (CRM, PI, BaS).

- I ran rz70, entered the host and gateway, activated, executed the data collection.

SLDCHECK runs successfully on the ERP system!

The technical system for the BS1 showed up in the SLD as expected.

- I configured the clients / business systems on the SLD.

Now begins the problem. The SLDUSER is now getting locked all the time! It's definitely the ERP system causing it - when I prevent it from accessing the PI (by changing the hosts file on the operating system), the problem stops.

I activated everything critical related to logons and RFCs in sm19 and looked at the logs in sm20. This is what it looks like:

-

17.08.2011 19:40:04 BNK_RFC ilbnkpi1 SAPMSSY1 Password check failed for user SLDUSER in client 001

17.08.2011 19:40:04 BNK_RFC ilbnkpi1 SAPMSSY1 Logon Failed (Reason = 1, Type = U)

17.08.2011 19:40:04 BNK_RFC ilbnkpi1 SAPMSSY1 Password check failed for user SLDUSER in client 001

17.08.2011 19:40:04 BNK_RFC ilbnkpi1 SAPMSSY1 Logon Failed (Reason = 1, Type = U)

17.08.2011 19:40:04 BNK_RFC ilbnkpi1 SAPMSSY1 Password check failed for user SLDUSER in client 001

17.08.2011 19:40:04 BNK_RFC ilbnkpi1 SAPMSSY1 Logon Failed (Reason = 1, Type = U)

17.08.2011 19:40:04 BNK_RFC ilbnkpi1 SAPMSSY1 Password check failed for user SLDUSER in client 001

17.08.2011 19:40:04 BNK_RFC ilbnkpi1 SAPMSSY1 Logon Failed (Reason = 1, Type = U)

17.08.2011 19:55:04 BNK_RFC ilbnkpi1 SAPMSSY1 Password check failed for user SLDUSER in client 001

17.08.2011 19:55:04 BNK_RFC ilbnkpi1 SAPMSSY1 User SLDUSER Locked in Client 001 After Erroneous Password Checks

17.08.2011 19:55:04 BNK_RFC ilbnkpi1 SAPMSSY1 Logon Failed (Reason = 1, Type = U)

17.08.2011 19:55:04 BNK_RFC ilbnkpi1 SAPMSSY1 Logon Failed (Reason = 53, Type = U)

17.08.2011 19:55:05 BNK_RFC ilbnkpi1 SAPMSSY1 Logon Failed (Reason = 53, Type = U)

17.08.2011 19:55:05 BNK_RFC ilbnkpi1 SAPMSSY1 Logon Failed (Reason = 53, Type = U)

-

And it goes on like this. So what happens is this: Every 15 minutes, at :10, :25, :40, :55, there are four unsuccessful logons with SLDUSER. With the fifth logon it gets locked.

Again:

- This stops when I make the PI inaccessible to the ERP.

- SLDCHECK still works completely fine in ERP - until the SLDUSER is locked, of course; then it stops working in all connected systems. It does not result in unsuccessful logons on the PI.

- When I run rz70 on the ERP and run the data collection this also reports success and does not create unsuccessful logons on the PI.

- I have not used the SLDUSER in any other locations besides sldapicust.

So what the hell is wrong with this system?!

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

naveen_chichili
Active Contributor
‎08-18-2011 10:03 PM
0 Kudos

Monika,

Did you try to retyping the password in sldapicust ?

If you are using PI 7.0 :

Please check that if your SLDUSER is called with the wrong password in

one of the following locations:

- SLD data supplier Java (in 70 in Visual Admin -> SLD Data Supplier

Service first tab)

- SLD HTTP client ((in 70 in Visual Admin -> SLD Data Supplier Service

second tab)

- SLD ABAP data supplier (transaction RZ70)

- SLD ABAP client (transaction sldapicust)

Regards,

Naveen

Show replies
Show replies
monika_eggers
Active Participant
‎08-19-2011 10:36 AM
0 Kudos

Hi,

Thank you for your suggestions.

Yes, I have tried retyping the password in sldapicust. Also, I can be sure that it is correct there, because when I put a wrong password into sldapicust then sldcheck fails.

The ERP system has no Java instance.

I tried "test connection" on all four sm59 destinations in the ERP system, SLD_NUC, SLD_UC, SAPSLDAPI, LCRSAPRFC. They all appear to be successful. However, they contain no user or password themselves (which is normal), so not sure how much these tests achieve.

The PI system is PI 7.1. Just to be sure I also retyped the password in sldapicust, ran sldcheck and rz70 (successfully), tested SLD_NUC, SLD_UC, SAPSLDAPI, LCRSAPRFC, and went to NetWeaver Administrator and retyped the password in SLD_DataSupplier and SLD_Client (even though the problem can't really be on the PI and must be in the ERP somehow).

monika_eggers
Active Participant
‎08-19-2011 11:18 AM
0 Kudos

I have created a separate user SLDUSER_ER1 just for use in the sldapicust in the new ERP system that causes the problem. Still SLDUSER is getting locked (not SLDUSER_ER1)!

I powered down this ERP system ER1, just to make absolutely sure it is causing the problem - indeed the unsuccessful logon attempts every 15 minutes stopped right away.

As a workaround and for narrowing down the problem I have created separate users SLDUSER_CR1 etc. for each of the other systems in the landscape (CRM and so on) - indeed those do not get any unsuccessful logon attempts.

I have deleted all four SLD-related destinations in ER1 and recreated them from scratch (SLD_NUC and SLD_UC being generated when running rz70). I also used the "delete all batch jobs" button in rz70.

Still, SLDUSER is getting locked.

I checked on the PI system in C:\usr\sap\PI1\DVEBMGS00\j2ee\cluster\server0\log\system\httpaccess\responses_00.0.trc and see it is indeed the IP of the ERP system that gets the error 401 exactly at the times when the unsuccessful logon attempts occur:

[Oct 2, 2011 2:46:06 PM ] - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 [140]

[Oct 2, 2011 2:46:06 PM ] - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 [79]

[Oct 2, 2011 2:46:06 PM ] - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 [62]

[Oct 2, 2011 2:46:06 PM ] - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 [47]

As the ERP has no Java instance and the sldapicust does not contain the SLDUSER (but the new SLDUSER_ER1) it is a mystery to me what it is that is still running every 15 minutes in the ERP and tries to use SLDUSER.

I went through the entries in SECSTORE and could not find any use of SLDUSER (only of SLDUSER_ER1, as it should be).

Edited by: Monika Eggers on Oct 2, 2011 3:08 PM

monika_eggers
Active Participant
‎10-02-2011 2:50 PM
0 Kudos

PS: In sm37 I do not find any scheduled jobs.

naveen_chichili
Active Contributor
‎10-03-2011 7:37 AM
0 Kudos

Hi Monika,

Could you provide logs if SLDUSER is still locking so that we can find why it is getting locked...

/usr/sap/<SID>/<InstID>/j2ee/cluster/server[X]/log/*

Regards,

Naveen

monika_eggers
Active Participant
‎10-03-2011 10:58 AM
0 Kudos

On the sender (ER1) or on the receiver (PI1)?

I had posted part of a log on PI above1:

C:\usr\sap\PI1\DVEBMGS00\j2ee\cluster\server0\log\system\httpaccess\responses_00.0.trc

Oct 2, 2011 2:46:06 PM - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 140

Oct 2, 2011 2:46:06 PM - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 79

Oct 2, 2011 2:46:06 PM - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 62

Oct 2, 2011 2:46:06 PM - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 47

That's the IP of the ER1 at the time when the problem (4 unsuccessful logon attempts) happen.

Which other log would be relevant, on which side?

I tried enabling RFC traces on the sender side (ER1): sm50 -> highlight all work processes -> then in the menu Administration -> Trace -> Active Components -> change the trace level to 2 and check Taskhandler and ABAP processor; then look at the traces in RSRFCTRC (or sm59 -> menu RFC -> display trace), and then quickly reset the trace level to the default again in sm50 so that they do not get overwritten. This is the right way to do this, isn't it? (When one does not know which destination or which user is relevant, so that one cannot enable the RFC traces just for that destination / that user.) Anyway, I could not find anything relevant/useful in the RFC trace, but maybe I just don't know what to look at. It just looks like a big mess to me.

former_member182307
Contributor
‎10-03-2011 12:48 PM
0 Kudos

Hello Monika,

Is there any SMD agent running on your ERP instances ?

BR,

Steve.

monika_eggers
Active Participant
‎10-03-2011 1:11 PM
0 Kudos

I am unsure. How do I check?

former_member182307
Contributor
‎10-03-2011 2:09 PM
0 Kudos

Is your ERP instance running on windows or unix ?

If your on Windows then you should see it in your MMC.

If on Unix : ps -ef | grep SMD should return something.

BR,

Steve.

monika_eggers
Active Participant
‎10-03-2011 2:38 PM
0 Kudos

On Windows. It looks like Solution Manager Diagnostics Agent is running on ER1. In SAP Management Console I see two servers, DAA and ER1. I don't know what the DAA is, but there is a node "AS Java Process Table" and it has one entry, "smdagent".

(I am surprised because I was under the impression there is no Java instance - ERP does not need one and under http://hostname:50000 or http://hostname:50000/nwa there is nothing. (Not error 404 but just "cannot display page".))

So I guess the SMD has a configuration for connecting to the SLD and this configuration has SLDUSER with a wrong password entry. I will try to find in the help files where that configuration can be changed.

former_member182307
Contributor
‎10-03-2011 2:44 PM
0 Kudos

This is what I meant. I had the same problem and it turned out to be a problem with the SMD agent configuration. I stopped it to test and didn't have any SLDDSUSER locked anymore. I found out a problem with the SMD agent configuration and you' re right, the SMD logs on SLD with the wrong password.

BR,

S.SOUMAH.

monika_eggers
Active Participant
‎10-03-2011 2:46 PM
0 Kudos

Can you tell me how to change the SMD Agent configuration?

monika_eggers
Active Participant
‎10-03-2011 4:03 PM
0 Kudos

I try to follow this wiki page: http://wiki.sdn.sap.com/wiki/display/SMSETUP/Diagnostics+Agents . It says there should be necessary information about the P4 port at http://er1fullhostname:8197/msgserver/text/logon (port 81XX with XX being the instance, which is 97 for the DAA as I can see in SAP management console and in the folder structure). But there isn't, this page does not load. So I can't figure out how I can make changes to the configuration.

former_member182307
Contributor
‎10-03-2011 11:17 PM
0 Kudos

Hello,

Have you tried this command to reset the correct slddsuser / pwd :

smdsetup sldconf hostname:u201DmySLDhost.domain.corpu201D port:u201D50000u201D user:u201Dslddsuseru201D pwd:u201Dxxxxxu201D

This should be run on the host on which your problematic SMD is running.

Here is the link to the SMD troubleshooting guide :

https://websmp201.sap-ag.de/%7Esapdownload/002007974700000409092009E/DiagAgent_TroubleShooting.pdf

HTH,

BR,

Steve.

Ask a Question