04-10-2008 4:11 PM
Hi All,
One user ID gets locked frequently by incorrect password logon.How Do i find from where somebody is trying to connect with wrong passowrd? If this is happening by any RFC how do I find from which system it is coming ?
Please advice.
Thanks,
Suman
04-11-2008 12:50 PM
Hi Suman,
first step is to identify, if the logon attempts are coming regularly (for instance every day, hour,... at the same time) or after a special event.
If you know, when you expect the next attempt, you need to trace the login. SM20 is not really necessary, but makes it easier to find the workprocess, through which the attempt has been processed.
To trace the login attempt:
[SAP Note 495911|https://service.sap.com/sap/support/notes/495911]
To identify, from which host/system the attempt has been started:
[SAP Note 171805|https://service.sap.com/sap/support/notes/171805]
Good luck!
b.rgds, Bernhard
04-10-2008 7:11 PM
Hi Suman,
You might want to look at another approach to resolve this, however this is one option I take to do a quick lookup on RFC's.
If you do not have too many systems, then an easy step you could take is to export table RFCDES and check field U="desired_name" in the field.
"U= " mentions the user name defined in an RFC. By this you can ensure that the user that is getting locked is not defined in an RFC by mistake.
Hope this helps
Abhishek
04-10-2008 9:10 PM
You will get RFC login information for a user if you have the security audit log activated (SM20). It will also tell when a login is failed due to incorrect password
04-10-2008 9:16 PM
Hi Alex,
I have to go through so much pain for system audit not being enabled . Cant do anything too about it.
04-11-2008 6:35 AM
04-11-2008 12:50 PM
Hi Suman,
first step is to identify, if the logon attempts are coming regularly (for instance every day, hour,... at the same time) or after a special event.
If you know, when you expect the next attempt, you need to trace the login. SM20 is not really necessary, but makes it easier to find the workprocess, through which the attempt has been processed.
To trace the login attempt:
[SAP Note 495911|https://service.sap.com/sap/support/notes/495911]
To identify, from which host/system the attempt has been started:
[SAP Note 171805|https://service.sap.com/sap/support/notes/171805]
Good luck!
b.rgds, Bernhard