on 12-17-2014 8:32 PM
Hi SCN community,
Kind of an odd ball issue I am seeing in GRC 10.1's emergency access area. We have one particular firefighter that is no longer allowing users to login as it through GRAC_EAM, while other firefighters work just fine. The error we are getting is either:
Incorrect Name/Password
Too many failed attempts account locked
I have attempted:
Reset the password of/unlocked the firefighter account (both to a set value, and the generate password), closed SAP, and tried to logon as the firefighter again
Ran EAM Master Data Sync through SPRO on our GRC box
I do not see any errors in SLG1 or ST22 (both GRC and the plug in system, in this case our ECC environment) that line up with the time of my attempts of trying to logon as the firefighter.
Has anyone seen this happen before, and how did you fix it? My next option im weighing is dropping the account and recreating it.
Thanks,
Josh
Wanted to give everyone an update, the firefighter account is working and I am waiting for final word from SAP on if there was anything else they did. So far here is what was done...and this sounds like a troubleshooting 101 answer....:
1) We have CUA running and hooked up to our GRC and ECC environments
2) The password for the firefighter (FF01 from here on out) was set to deactivated in the production CUA environment
3) Logged into production CUA and went to SU01 --> Change Mode --> Logon Data Tab --> set the password to an initial password --> saved
4) back on the main screen of CUA I went and changed the password, this time using the change password option in CUA and selecting the child system and set its password to the same one from step 3
5) Double checked CUA and ECC to make sure everything was in sync and had the user try it again, only this time it worked.
I know its a simple answer but it got things working, hopefully this helps you guys.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Josh,
we are experimenting exactly the same issue with FF on an 4.7 ECC system and AC 10.1. since 17. December.
It is a horror, right before Xmas holidays.
Any further hints are highly appreciated.
Regards,
Ines
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
No luck on dropping and recreating the account. It still is passing the "wrong" password from GRC to the ECC environment, while other firefighters in the same system work just fine. Any ideas on where to go from here?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks everyone. To answer the questions posed in the above, yes the firefighter account (and all of our firefighter accounts) are service accounts and it and the rfc account are both unlocked and valid (Valid to is null). I have double checked the SPRO parameter and that is still valid and correct as well.
The issue appears to be with the password that GRC is passing to our ECC box for that one firefighter, other firefighters work just fine. I will drop the account and recreate it and see if that clears the issue.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
__Hi Josh,
is the fire fighter a Service (user type)?
If not please change this and reset the password to an Initial pw via SU01 (with the sign to create a new Password - Do not Change the intial pw later.
Only the Dialog User with use the GRAC_EAM should be a Dialog user.´
- Run Program Repository Object sync
- Run Programm EAM Master Data sync
Then try if it works.
If this not work:
Check if
- the real end user (Dialog user) has a SAP_GRAC_SUPER_USER_MGMT_USER role in the target/backend System (and if you allow centralized log on via GRC also in GRC)
- and the ff-user has the role SAP_SPM_FFID in the target / backend system
and repeat the steps abbove.
Hope this will help.
BR
Melanie
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Melanie,
We have exactly the same issue. Having checked all the pieces of the config, there's nothing amiss ... yet we have this error message. Here's a step by step of what has been checked.
At this time, it's unclear what might be wrong as the entire setup seems correct.
Thanks,
Santosh
Hi,
is the FF-user valid (user Validation date on tab "Logon"? Is the user locked.
Another thing could be the customzing.The role SAP_SPM_FFIDmust be maintained (SPRO -> GRC -> AccessControl-> Maintain Configuration Settings-> Emergency User Access 4010
or the rfc-user or pw is not the same in grc and the target System.
Otherwise the Basis must check the plug-in.
BR
Melanie
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.