cancel
Showing results for 
Search instead for 
Did you mean: 

System received expired SSO ticket

Amey-Mogare
Contributor
0 Kudos

Hello All,

Portal version: NW CE 7.3 EHP1

I have a Web Dynpro Java application that calls RFC using Adaptive RFC model.

We are facing intermittent issue when were see below error and model execution fails: -

Caused by: RfcException: [null]

    message: System received an expired SSO ticket on AB1 mshost ab1.mysystem.com

    Return code: RFC_SYS_EXCEPTION(3)

    error group: 103

    key: RFC_ERROR_LOGON_FAILURE

I checked SAP Note 947376 and set login.ticket_lifetime and SessionExpirationPeriod both to 16hrs.

And also, in addition to this, I include below line after model execution so that it closes JCO connection: -

wdContext.currentZ_Model_InputElement().modelObject().modelInstance().disconnectIfAlive();

But still same error is occuring intermittently.

Also, looked at SAP Note 1130191, but it is not clear 'what' needs to be done as solution.

Any more ideas on this?

Thanks & Regards,

Amey Mogare

Accepted Solutions (1)

Accepted Solutions (1)

hemanth2
Product and Topic Expert
Product and Topic Expert
0 Kudos


Hi Amey,

 

Hope you are doing good.

Nice to hear from you again.


Has the SSO ticket expired and is it loaded  correctly ? Refer the SAP note:1083421 and configure the SS0 settings again. Please run the SSO2 wizard and then make the automatic connection to
the abap server. This will solve any inconsistencies on the server due to manual interventions.

More help:

http://wiki.sdn.sap.com/wiki/display/EP/Troubleshooting+SSO+between+AS-ABAP+and+AS-JAVA

and

http://scn.sap.com/community/netweaver-administrator/blog/2012/05/14/bye-bye-strustsso2-new-central-...


Also the SSO enabling parameters should be set on the R/3 server.
SSO Logon Ticket-> login/accept_sso2_ticket and login/create_sso2_ticket
More info:
http://help.sap.com/saphelp_nw04/Helpdata/EN/22/41c43ac23cef2fe10000000a114084/frameset.htm

Thank you!

____________

Kind Regards,

Hemanth

SAP AGS

hemanth2
Product and Topic Expert
Product and Topic Expert
0 Kudos

Amey,

There is another workaround in such cases which I would like to point out. We have seen similar issues previously when the Authentication Ticket Type for the system connection used is SAP Logon Ticket. You need to be using SAP Assertion Ticket.
Please refer to Note 1166904 "Assertion ticket SSO for Web Dynpro Java JCO destinations" and SAP Note No. 1554000.
If you are using SSO ticket authentication, then you may need to switch to SSO with assertion ticket authentication (given you meet the prerequisites). The option "SSO ticket" can lead to problems like "SSO ticket expired" as the SSO ticket is reused for subsequent RFC calls and this can be intermittent as in your case. The new option "Assertion ticket" means that the ticket used for Single Sign On in the connection to the R/3 backend system is only used once thus avoiding problems inherent to the SSO ticket mechanism. It's thus recommended to re-configure the system connection/ Jco connection from SSO ticket to Assertion Ticket.

Regards,

Hemanth

Amey-Mogare
Contributor
0 Kudos

Hello Hemanth,

Thanks for prompt replies.

In your 2nd reply, you mean I should go into NWA > Config > Security > Destinations and there modify logon data for this destination to use 'Assertion ticket' as logon method?

Thanks & Regards,

Amey

hemanth2
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Amey,

Exactly. .

However you need to make sure that the prerequisites are met as mentioned earlier.

Kind regards,
Hemanth

hemanth2
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Amey,

If you wish to just to use only SSO, then you need investigate further to narrow down the issue, whether it is with the ABAP server, J2ee, tickets, etc:
1) Clear all the browser cache.
2)
Set the security trace level in the ticket accepting system (r/3 server)
======================================================
1. Call transaction SM50 (process list):
2. Process -> Trace -> Reset -> Workprocess Files
3. Key combination: F5 (select all), CTRL-Shift-F7 => Dialog box;
4. Set trace level=3 and ONLY(!) check the "Security" component;

  If necessary, you must repeat these steps for each server (see
  transaction SM51), unless you can use a specific server for
  reproducing the error (for example, by excluding the load
  distribution).
3)
Run the web diagtool as outlined in:
note 1045019 (example 1). It will be ideal to run it on the server 0 (check note 1589567 on how you can do this).
4)
While the diagtool is running, please reproduce a failed SSO to the backend.
5)
When the SSO fails, wait a minute and then press return in the diagtool console so that the resulting traces are picked up.
6)
Check the traces at the  time at which you reproduced the issue (using the userID involved).
You can also use the below link to search for the specific error in the R/3 traces.
http://scn.sap.com/docs/DOC-57078

Thanks and Best regards,
Hemanth
P.S: If you wish to check if SSO between the ABAP and the J2ee server is working, test using the method mentioned in note 1903560.

Amey-Mogare
Contributor
0 Kudos

Thanks a million for your elaborate help & replies, Hemanth.

I am working as per your suggestions now and will update the thread with latest findings.

hemanth2
Product and Topic Expert
Product and Topic Expert
0 Kudos

That's no problem Amey, Please keep us posted


Kind Regards,

Hemanth Kumar

SAP SSC Ireland


Amey-Mogare
Contributor
0 Kudos

Hello Hemanth,

It is made clear from customer side that we cannot modify authentication type to assertion ticket. So I am left with only option, i.e., to make sso ticket working.

So I think the steps you mentioned in your reply on Nov 21, 2014 4:21 PM, I need to follow closely, right?

I could check SSO2 wizard. And I see that it the involved ABAP system is present in Trusted systems list and also certificate validity is (green) OK.

Also, one thing I noticed, in SSO2 wizard, there is a button 'Show SSO Configuration'.

Here I saw that value of 'login.ticket_lifetime' is 8 hrs, whereas in NWA > Config > Infra > Java sys properties > Services > User Management Engine, same parameter has value 16 hrs.

Would this inconsistency matter? (btw I have modified this value and also sessionexpirationperiod to 16 hrs as per sapnote# 947376.)

Thanks & Regards,

Amey

hemanth2
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Amey,

Not really. Most likely the ticket is not being accepted by the ABAP server. Do follow the exact steps I mentioned so that we can find the root cause.


Let me also list some common issues that lead to such SSO cases:

1)
See sap note 1761987, point 7 and synchronise the ABAP and the J2ee server clocks. This will make sure that the ABAP and the J2ee server have the same time as this can lead to such issues.
2)
Set the expiration of security session and SSO ticket timeout to the same value as SAP note 842635 recommends:

"
b) Setting security session and SSO timeout Please set the timeout value for the security sessions (default 27h) and the timeout value for the SSO ticket (default 8h) to the same value. It should be a value that is higher than the maximum working time of an employee, e.g. 16 hours.
"
The parameters are : login.ticket_lifetime and  SessionExpirationPeriod.
3)
Do make sure that you are on the latest SAPJVM  level  so that the issues as mentioned in SAP Note No. 1367871 do not occur.
4)
The client mentioned in the j2ee ume property login.ticket_client should be part of the /nSTRUSTSSO2 ACL.
There is a possibility that as login.ticket_client is set to say 000, which is already a value that is a client in the ABAP server. If so, SSO may not work cause client 000 is also available on
the ABAP server. This leads to inconsistency and we have seen similar issues in the past. The only option is to change the login.ticket_client value to a client that is not present in the ABAP server (say 005) and restart the j2ee server. Then run the SSO2 wizard (SAP note:1083421)
and this will update the strustsso2 table and you should be good to go.
5)
Do see see note 1055856 that has more on issues on the abap end.

Regards,
Hemanth

hemanth2
Product and Topic Expert
Product and Topic Expert
0 Kudos


You have a very understanding customer there:

"
It is made clear from customer side that we cannot modify authentication type to assertion ticket.
"

Amey-Mogare
Contributor
0 Kudos

Thanks a lot Hemanth! Truly, thanks a trillion. 🙂

Happy Thanksgiving 🙂

hemanth2
Product and Topic Expert
Product and Topic Expert
0 Kudos

Thank You Amey .

If you face any issues, it would be better to close this thread and move it to

<http://scn.sap.com/community/netweaver-administrator>

as you will get better responses.
This is not really a WD issue

Amey-Mogare
Contributor
0 Kudos

Hello Hemanth,

Thanks for reply.

We are now trying to use 'Current User (Assertion ticket)' mechanism in modeldata destination.

But getting some issues.

As suggested by you, I am posting this new question on http://scn.sap.com/community/netweaver-administrator

Thanks a lot for all your help so far.

new thread:

hemanth2
Product and Topic Expert
Product and Topic Expert
0 Kudos

Great Amey that you could convince the customer eventually . I guess this thread can be closed; NWA forum is the best one for this.

Kind regards,
Hemanth

Amey-Mogare
Contributor
0 Kudos

Yes Hemanth. After breaking head for searching the root cause along with Basis colleagues (we don't have full access on NWA). I could finally convince to give a try to 'Assertion ticket' approach.

Yes, we can close this thread. Although I feel a bit sad that I could not locate root cause that could have been helpful to other people who will face same issue and look up to this thread.

Thanks a million for your help.

Thanks & Regards,

Amey

hemanth2
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Amey,

Hope you are doing good.

This was quite a recurring issue, hence I created the below blog:

I hope it is fine and maybe useful to others as well in future .

_ _ _ _ _ _ _ _ _

Kind Regards,

Hemanth
SAP AGS
_ _ _ _ _ _ _ _ _
 

Amey-Mogare
Contributor
0 Kudos

Thanks a lot, Hemanth. That would be really helpful.

Answers (0)