Hello Kai.

We are using:

Version: 2.0

Support Package:    3

Patch Level:    2

And still getting profile "Locks" whenever a user has a corrupted UPN data. It's a problem because affects all the other users trying to use that profile.

Which Service Pack has resolved this or provides a feature to disable it?

Thanks

Sebastian,

there is no way to turn off profile locking. But such locks should only occur if the configuration of SLS is corrupted somehow, not if user data don´t fit during enrollment.

Could you explain what "corrupted UPN data" means? Did you configure LDAP/ADS based user name mapping, and you don´t get a value for userPrincipalName?

-- Stephan

Hi Stephan!

Our Certificates X.509 are granted via SLWC using LDAP authentication against AD.

Certificate CN is UPN (user principalname) in this format "id@domain.corp"

We have encountered AD users were the UPN returns without .corp, or using ,corp (comma instead of a dot).

When this users try to authenticate, the profile gets lock.

Error Message

Cannot send an HTTP error response [500 com.sap.securelogin.library.core.ProfileConfigException: The user variable : (AUTH:UPN) can not be resolved but is used. (details: )].

We know is an AD user problem, but we are looking for avoid the profile lock while reviewing and fixing more than 20.000 AD accounts...

thanks!

This false lock was fixed in SLS 2.0 SP06.

-- Stephan

Hi Stephan,

We are actually now on SPS 2.0 SP 6 Patch 3,

and today we got another profile lock.

**** SECURE LOGIN PROFILE LOCK ****

Profile 7a1b6e4a-6070-427b-b3a8-57d9a8059be2 locked

REASON: no certificate found for alias User Sub CA

**** SECURE LOGIN PROFILE LOCK ****

Any ideas?

Hi,

did you check if it is true? I.e. what is the status of the User Sub CA?

-- Stephan

Hi,

we had the same issue with our SSO servers. But after cleaning (exporting and then deleting out of the SecureLoginServer Certificate store via /SLAC -> certificates) up the signed certificates under SAP SERVER CA and SSL SERVER CA, we did not face the issue again.

Best regards

Kai

We have over 20 SLWC "active" profiles serving 20.000 users on the daily basis.

The user sub ca is up and running.

The problem is that we have this "mysterious" random profile locks, and SAP Logs shows nothing else.

This happens once every one or two months.

So, just to be clear...

You deleted all issued server certificates (SAP and SLL)...

And this fixed the SLWC profile Locks?

Thanks.

Hi,

yes, we exported and deleted all signed SNC and SSL certificates in SLAC (of course not the SUB CAs) and we're now using a different SSO server (this one is only for signing) for signing.

The issue was affecting all Secure Login Clients, not only the SLWC. We had a lot of them in our cert store, so i guess there was a performance / timeout issue in combination with a ldap service (for additional attributes).

Best regards

Kai