Solved: System asking to change password everytime a user ...

Former Member · ‎07-22-2015

Hello,

SAP is asking to change password every time the user is trying to login.

Checking profile parameter will not make sense as this is happening only to one user.

I think the answer lies in USR02 but what exactly will unearth the solution, I am not sure.

Please help

BR

Arya

Colleen · ‎07-30-2015

Hi Arya

I haven't commented no this post much as Bernard already jumped in. I agree with his suggestion to switch on logging for the one user. I haven't worked Germany market for privacy rules but are you able to ask the user for permission to temporary switch on whilst you troubleshoot. Ask your compliance or audit team if you could get an exception here. If the user cannot logon to the system they might be willing to allow this

Now if there is a chance of some code related bug (maybe a developer coded somewhere for that specific Id) you could try to create the account in non production and then log/trace there.

For tracing, I would consider ST05 SQL and ST01 for kernel/rfc to attempt to pick up the user and see how far it gets. It might show tables, etc being checked. I'm not a programmer but pretty sure you can't put a break point and debug this as this section of the code for logon sequence is protected. However, if there is some bad code out there it might be causing the password change prompt just after the logon sequence.

Do you get change documents for resetting of the password coming up all the time? Might be a stupid question, but is the user actually changing their password and not pressing cancel? Also, are they logging straight into to SAPGui or some other tool?

Guessing game and suggestion is to:

try to deactivate password and reissue
temporarily switch account to service user so password rules are not enforced - if change prompt comes up it might lead back to some code bug
Copy the user and see if it happens to this account
Delete (I hate suggesting this) and recreating the user

If you still can't get anywhere, it sounds like you need to raise a marketplace message and have SAP experts access system on secure connection to investigate.

Regards

Colleen

shivshankarthonte · ‎07-22-2015

Hi Arya,

Have you tried to check if that user has any active session in SM04? If yes, that session needs to be terminated.

If it does not work then only workaround is to delete that user and recreate as there is some miscellaneous user master data issue and that will clear on user deletion only.

Thanks,

Shiv

Former Member · ‎07-27-2015

Hello Shiv,

Unfortunately both of your suggested solutions didn't work:(

BR

Arya

former_member598833 · ‎07-27-2015

Hi Arya,

What type of user ID is this? Are you using this ID in any of the RFC connections?

Regards,

Anil

Former Member · ‎07-27-2015

Nopes Anil. It's a simple dialog user.

Former Member · ‎07-27-2015

1) Verify the Login tab in Su01 T-code. If the user account is associated to any security policy.

2) Verfify the tables USRPWDHISTORY.

Bernhard_SAP · ‎07-27-2015

Hi,

I recommend to use a structured approach to avoid guessing and a trial/error approach.

1st: create a logon trace

2nd evaluate the trace to identify the cause why the user needs to change his password

3rd repair the cause.

Logontrace: SAP note 495911

Docu: SAP note 320991

99% success guarantee.....

b.rgds, Bernhard

Former Member · ‎07-27-2015

Hi,

Approach is good but I cannot activate filter for a Dialog user in SM19 except Emergency and OSS user owing to the audit specifications in Germany, hence getting the Logon trace is not possible.

Kindly suggest something else if possible.

BR

Arya

Bernhard_SAP · ‎07-29-2015

SM19: how abaut dynamic configuration for that particualr user???? you do not need necessarily sm19/sm20 to evaluate the logon trace, sm19 simply helps you to identify the correct workprocess. But you can search fo the correct one yourself manually.

Bernhard

jinesh_jayan · ‎07-27-2015

Hi Arya,

Can you check if any security policy is active for this user?

Under SU01 ->Logon Tab .

If yes , check the attributes of this policy using tcode SECPOL

Regards,

Jinesh Jayan

Former Member · ‎07-28-2015

No security policy for my system Jinesh

Former Member · ‎07-28-2015

Hi Arya,

You can activate the trace in ST01 for that user on temporary basis and analyze the issue.

To keep it simple, after activating the trace in ST01, you can ask user to just login and logout without executing any t-code since during this user will get pop up for password reset.

Hope this helps!

Thanks,

Santosh

Former Member · ‎07-28-2015

ST01 will never capture such issues.

Former Member · ‎07-28-2015

Now situation has become more intriguing.

Here we go. When another user logs in with correct password everything is fine. But if by chance he enters a wrong password and next time he tries to log in with a correct password the system is asking to change the password.

What is happening

Please help!!!

BR

Arya

jinesh_jayan · ‎07-28-2015

Arya,

Is it a SAP ECC system?
How many application servers are there for this system?My hunch is , the problem is only when the user is directed to particular application server which maybe, has an incorrect setting in the instance profile. Please check all instance profiles for incorrect security parameters

Regards,

Jinesh

Former Member · ‎07-29-2015

Hi Arya,

1) Is there any java application server is associated to this stack. if so please go through the secrutity logs and parameter settings on java side.

2) how the user account are created , directly in ABAP system? or java? or in LDAP ? or from CUA.

Best Regards,

R. Lakshmi Narasimhan

Former Member · ‎07-29-2015

Hi Jinesh,

Firstly, there is only one application server and secondly profile parameter setting is for system as a whole and not user specific so that solution is also correct.

BR

Arya

Former Member · ‎07-29-2015

Hi Narasimhan,

We are talking about one specific user and not all the users.

The user is created directly in the ABAP system.

BR

Arya

Colleen · ‎07-30-2015

Hi Arya

I haven't commented no this post much as Bernard already jumped in. I agree with his suggestion to switch on logging for the one user. I haven't worked Germany market for privacy rules but are you able to ask the user for permission to temporary switch on whilst you troubleshoot. Ask your compliance or audit team if you could get an exception here. If the user cannot logon to the system they might be willing to allow this

Now if there is a chance of some code related bug (maybe a developer coded somewhere for that specific Id) you could try to create the account in non production and then log/trace there.

For tracing, I would consider ST05 SQL and ST01 for kernel/rfc to attempt to pick up the user and see how far it gets. It might show tables, etc being checked. I'm not a programmer but pretty sure you can't put a break point and debug this as this section of the code for logon sequence is protected. However, if there is some bad code out there it might be causing the password change prompt just after the logon sequence.

Do you get change documents for resetting of the password coming up all the time? Might be a stupid question, but is the user actually changing their password and not pressing cancel? Also, are they logging straight into to SAPGui or some other tool?

Guessing game and suggestion is to:

try to deactivate password and reissue
temporarily switch account to service user so password rules are not enforced - if change prompt comes up it might lead back to some code bug
Copy the user and see if it happens to this account
Delete (I hate suggesting this) and recreating the user

If you still can't get anywhere, it sounds like you need to raise a marketplace message and have SAP experts access system on secure connection to investigate.

Regards

Colleen

Former Member · ‎08-26-2015

HI Arya,

Did you get any resolution for this issue.

Former Member · ‎08-26-2015

Hi Sree,

Sadly, No

Former Member · ‎08-26-2015

HI,

the issue is interesting..did you what colleen has suggested.

like - copying the user and check weather it is happening to that DI as well ?

Regards,

Charan

Former Member · ‎08-26-2015

Hi,

I have taken each of her Suggestion and tried but it's not working at all.

Deleted the user, re-created it.

Copied the user.

Tried to take a trace ST05.

Used SM20.

But nothing works.

Former Member · ‎08-26-2015

Hi Arya,

Can you try to access the system using SAP WebGui and see how it behaves ?

Thanks,

Ali

Former Member · ‎08-26-2015

HI,

can you please try by .

- removing all the roles, parameter,defaults, user groups, etc..

- just provide a generic role in the system .

if not we need to raise a Oss connection to SAP team.

regards,

Charan

Former Member · ‎08-26-2015

Point 1 done without any result.

Last hope is to raise an OSS message to SAP.

Regards

ABP

Former Member · ‎08-26-2015

WebGui is not activated for this particular system.

madhumsr · ‎08-26-2015

Hi,

1. Have to tried to switch the account to service user as suggested above? What were the findings?

2. I found these answers in other link for the same problem. Not sure if they are valid. Anyway I am copying them here.

a. Check dates in fields of table USR02. If someone played with these fields contents, it can cause issue.

b. If One user face the same, check USR02 --> TZONE & PWDDATE

Thanks.

Former Member · ‎08-27-2015

1- Switching to Service would obviously remove the problem from its roots only but that is not what I am looking for. Dialog user cannot be changed to service.

2- I have invested a lot of time on USR02 but without any fruit. BTW may I ask what plausible relation TZONE would have on password. Also couldn't find the field PWDDATE.

Br

Arya

System asking to change password everytime a user is trying to Login.