07-22-2015 9:25 AM
Hello,
SAP is asking to change password every time the user is trying to login.
Checking profile parameter will not make sense as this is happening only to one user.
I think the answer lies in USR02 but what exactly will unearth the solution, I am not sure.
Please help
BR
Arya
07-30-2015 1:12 PM
Hi Arya
I haven't commented no this post much as Bernard already jumped in. I agree with his suggestion to switch on logging for the one user. I haven't worked Germany market for privacy rules but are you able to ask the user for permission to temporary switch on whilst you troubleshoot. Ask your compliance or audit team if you could get an exception here. If the user cannot logon to the system they might be willing to allow this
Now if there is a chance of some code related bug (maybe a developer coded somewhere for that specific Id) you could try to create the account in non production and then log/trace there.
For tracing, I would consider ST05 SQL and ST01 for kernel/rfc to attempt to pick up the user and see how far it gets. It might show tables, etc being checked. I'm not a programmer but pretty sure you can't put a break point and debug this as this section of the code for logon sequence is protected. However, if there is some bad code out there it might be causing the password change prompt just after the logon sequence.
Do you get change documents for resetting of the password coming up all the time? Might be a stupid question, but is the user actually changing their password and not pressing cancel? Also, are they logging straight into to SAPGui or some other tool?
Guessing game and suggestion is to:
If you still can't get anywhere, it sounds like you need to raise a marketplace message and have SAP experts access system on secure connection to investigate.
Regards
Colleen
07-22-2015 3:17 PM
Hi Arya,
Have you tried to check if that user has any active session in SM04? If yes, that session needs to be terminated.
If it does not work then only workaround is to delete that user and recreate as there is some miscellaneous user master data issue and that will clear on user deletion only.
Thanks,
Shiv
07-27-2015 10:25 AM
Hello Shiv,
Unfortunately both of your suggested solutions didn't work:(
BR
Arya
07-27-2015 12:37 PM
Hi Arya,
What type of user ID is this? Are you using this ID in any of the RFC connections?
Regards,
Anil
07-27-2015 1:10 PM
07-27-2015 1:50 PM
1) Verify the Login tab in Su01 T-code. If the user account is associated to any security policy.
2) Verfify the tables USRPWDHISTORY.
07-27-2015 1:57 PM
Hi,
I recommend to use a structured approach to avoid guessing and a trial/error approach.
1st: create a logon trace
2nd evaluate the trace to identify the cause why the user needs to change his password
3rd repair the cause.
Logontrace: SAP note 495911
Docu: SAP note 320991
99% success guarantee.....
b.rgds, Bernhard
07-27-2015 3:01 PM
Hi,
Approach is good but I cannot activate filter for a Dialog user in SM19 except Emergency and OSS user owing to the audit specifications in Germany, hence getting the Logon trace is not possible.
Kindly suggest something else if possible.
BR
Arya
07-29-2015 5:49 AM
SM19: how abaut dynamic configuration for that particualr user???? you do not need necessarily sm19/sm20 to evaluate the logon trace, sm19 simply helps you to identify the correct workprocess. But you can search fo the correct one yourself manually.
Bernhard
07-27-2015 7:28 PM
Hi Arya,
Can you check if any security policy is active for this user?
Under SU01 ->Logon Tab .
If yes , check the attributes of this policy using tcode SECPOL
Regards,
Jinesh Jayan
07-28-2015 11:11 AM
07-28-2015 12:35 PM
Hi Arya,
You can activate the trace in ST01 for that user on temporary basis and analyze the issue.
To keep it simple, after activating the trace in ST01, you can ask user to just login and logout without executing any t-code since during this user will get pop up for password reset.
Hope this helps!
Thanks,
Santosh
07-28-2015 1:15 PM
07-28-2015 3:22 PM
Now situation has become more intriguing.
Here we go. When another user logs in with correct password everything is fine. But if by chance he enters a wrong password and next time he tries to log in with a correct password the system is asking to change the password.
What is happening
Please help!!!
BR
Arya
07-28-2015 5:55 PM
Arya,
Regards,
Jinesh
07-29-2015 6:43 AM
Hi Arya,
1) Is there any java application server is associated to this stack. if so please go through the secrutity logs and parameter settings on java side.
2) how the user account are created , directly in ABAP system? or java? or in LDAP ? or from CUA.
Best Regards,
R. Lakshmi Narasimhan
07-29-2015 11:43 AM
Hi Jinesh,
Firstly, there is only one application server and secondly profile parameter setting is for system as a whole and not user specific so that solution is also correct.
BR
Arya
07-29-2015 11:45 AM
Hi Narasimhan,
We are talking about one specific user and not all the users.
The user is created directly in the ABAP system.
BR
Arya
07-30-2015 1:12 PM
Hi Arya
I haven't commented no this post much as Bernard already jumped in. I agree with his suggestion to switch on logging for the one user. I haven't worked Germany market for privacy rules but are you able to ask the user for permission to temporary switch on whilst you troubleshoot. Ask your compliance or audit team if you could get an exception here. If the user cannot logon to the system they might be willing to allow this
Now if there is a chance of some code related bug (maybe a developer coded somewhere for that specific Id) you could try to create the account in non production and then log/trace there.
For tracing, I would consider ST05 SQL and ST01 for kernel/rfc to attempt to pick up the user and see how far it gets. It might show tables, etc being checked. I'm not a programmer but pretty sure you can't put a break point and debug this as this section of the code for logon sequence is protected. However, if there is some bad code out there it might be causing the password change prompt just after the logon sequence.
Do you get change documents for resetting of the password coming up all the time? Might be a stupid question, but is the user actually changing their password and not pressing cancel? Also, are they logging straight into to SAPGui or some other tool?
Guessing game and suggestion is to:
If you still can't get anywhere, it sounds like you need to raise a marketplace message and have SAP experts access system on secure connection to investigate.
Regards
Colleen
08-26-2015 2:27 PM
08-26-2015 2:31 PM
08-26-2015 2:36 PM
HI,
the issue is interesting..did you what colleen has suggested.
like - copying the user and check weather it is happening to that DI as well ?
Regards,
Charan
08-26-2015 2:44 PM
Hi,
I have taken each of her Suggestion and tried but it's not working at all.
Deleted the user, re-created it.
Copied the user.
Tried to take a trace ST05.
Used SM20.
But nothing works.
08-26-2015 2:54 PM
Hi Arya,
Can you try to access the system using SAP WebGui and see how it behaves ?
Thanks,
Ali
08-26-2015 2:55 PM
HI,
can you please try by .
- removing all the roles, parameter,defaults, user groups, etc..
- just provide a generic role in the system .
if not we need to raise a Oss connection to SAP team.
regards,
Charan
08-26-2015 3:31 PM
Point 1 done without any result.
Last hope is to raise an OSS message to SAP.
Regards
ABP
08-26-2015 3:43 PM
08-26-2015 7:15 PM
Hi,
1. Have to tried to switch the account to service user as suggested above? What were the findings?
2. I found these answers in other link for the same problem. Not sure if they are valid. Anyway I am copying them here.
a. Check dates in fields of table USR02. If someone played with these fields contents, it can cause issue.
b. If One user face the same, check USR02 --> TZONE & PWDDATE
Thanks.
08-27-2015 1:58 PM
1- Switching to Service would obviously remove the problem from its roots only but that is not what I am looking for. Dialog user cannot be changed to service.
2- I have invested a lot of time on USR02 but without any fruit. BTW may I ask what plausible relation TZONE would have on password. Also couldn't find the field PWDDATE.
Br
Arya