Impact of J2EE_ADMIN / Administrator user getting locked

Similar Messages

• The J2EE_ADMIN is keep getting locked

  Hello,
  The J2EE_ADMIN is keep getting locked for some reason.
  I unlock it and after a while it is locked again.
  No one is trying to login with it so it can't be locked due to multiple wrong logins.
  What can be the reason for that?

  Hi,
        Open Visual Administrator in  Cluster> Server>Services-->Security Provider
  Go to Runtime - tab and then User Management. Search for the user "J2EE_Admin" and double click on the user name to get the user management property sheet. There you can find "No password change required". If it is not checked, please check that one. Then that password wont expire for every deployment.
  Hope this helps.
  Regards,
  Pooja.

• User gets locked by an external system but which one?

  Hi,
  In an abap system, we have changed the password of our administration user. Afterwards, this user gets locked every 5 minutes, obviously because the user and old password has been used to set up communication from another system to the abap system. An RFC connection for instance or whatever. Sure it is possible to check all the systems you can think of to see if the user has been used for such a purpose. But how can you see in the system itself where the call comes from that locks it? I have tried the gateway tracefile but without success. Any suggestions?
  Regards,
  GK

  Hello,
  I would try transaction STAD.
  There you should find entries of type RFC with your user.
  If you double-click on the line, you get the details. Click on the RFC button.
                                as Client             as Server
  No. of targets                   0                     1
  Click on the highlighted 1 under "as server".
  You should get the needed info : the remote destination
  Target         TEST_DEV
  User ID        TESTOC
  RFC Caller     OCHRETIE
  Local  destin. bt1suk17v1_DEV_02                IP address xx.xx.xx.xx
  Remote destin. bt1suk16v1_DXI_68                IP address yy.yy.yy.yy
  Hope this helps
  Olivier

• User gets locked in lesser attempts than security policy setting

  Hi
  I have written my customized login code to login a user to the
  portal and I user the following code:
  IUser myUser = UMFactory.getUserFactory().getUserByLogonAlias(username, null);
  IUserAccountFactory accountFactory = UMFactory.getUserAccountFactory();
  IUserAccount account = accountFactory.getUserAccountByLogonId(myUser.getUniqueName());
  ILogonAuthentication ILA = UMFactory.getLogonAuthenticator();
  req.setAttribute(JUSER,myUser.getUniqueName());
  req.setAttribute(JPASSWORD,password);
  ILA.logon(req,res,AUTHSCHDEFAULT);     
  I notice that whenever I try to logon using my code with a
  wrong password, the user gets locked in 3 attemps even though the security policy
  (at ABAP and in Portal UME Configuration) setting for number of failed attempts is set to 5.
  (Although, please note that my code works fine logging the
  user into the portal when he enters the correct password)
  I try to check if the same thing happens with the standard logon module - com.sap.portals.runtime.logon,
  and notice that it locks correctly after 5 attempts.
  Would I have to add anything else in my code to make it work
  correctly?
  Thanks
  oj

  Hi All
  I tried to check in the CUA table the incorrect logon attempts value, and noticed that for every time I login (using my above code) with the wrong password, it increments the count by 2!! And that's the reason it gets locked out by the third time.
  What am I doing wrong?
  Thanks
  OJ

• SAP BW User getting locked by BO RFC calls

  Hi,
  we are encountering a problem with BO RFC calls locking SAP BW users that recently changed their password in BW.
  Description of the problem in the ticket we raised at the SAP support:
  SAP BO 4.1 SP2 Patch 4, linux installation
  Backend: SAP BW 7.01 EHP8
  BICS interface with SAP authentication
  One of our users gets locked again and again in SAP BW (P19). The cause is a RFC connection that the BusinessObjects server (P59) tries to establish. The user used SAP BO last Friday for the last time and had to change his password in P19 this Tuesday. We think that there is some
  process within SAP BO still trying to connect to SAP BW from time to time, using the old password. There is no open session visible for that user in the CMC. User is even getting locked when not in the office and during night time. RFC calls are established almost regualary every hour.
  We already had this behaviour in our test-system. Restarting the BO-Server solved it. However, this is not the solution we want to use
  in the productive environment. There has to be some way to kill the process that uses the old password on the BO server without restarting
  the whole server. We do not understand why BO would still try to connect to BW with the old password - this has to be some kind of a bug.
  Meanwhile the error disappeared for the first user (some days after it started, maybe the BO process ran into a timeout). However, other users started having the same behaviour after changing their password.
  Our basis team tried to check the log files for advanced information on the conversations between BO and BW, but did not find any hints on which BO process might try to establish the connections.
  The SAP support seems to be a little helpless at the moment...
  Has anyone had similar problems?
  Regards,
  Robert

  Hi again,
  additional information: after approximately one week after the error appeared for the first time BO stops trying to establish the rfc connection for this specific user. Almost as if the "old-password-BO-process" ran into a 1 week timeout or something like that.
  The problem is really strange. The SAP support is still not able to tell us how the gather the information they require.
  Regards,
  Robert

• J2EE_ADMIN user getting locked frequently

  Hi SAP Guru's,
  The user J2EE_ADMIN in our nw2004s system is getting locked frequently. We have changed the password of this user in ABAP via SU01 & in JAVA in the secure store via configtool. The server was re-booted after doing these changes. Still the user J2EE_ADMIN is getting locked frequently. Also in SM21, we have a log <b>"J2EE_ADMIN locked due to incorrect logon"</b> for this locking which mentions the user as SAPJSF (Communication user between ABAP & JAVA).
  Is there a possibility that SAPJSF is locking the user J2EE_ADMIN ?? how & why ??
  Any help on this will be highly appreciated.
  Thanks,
  Sanjeev.

  have you solve this issue? we have the same!
  every half hour (xx:51:00 and xx:29:00), the J2EE_ADMIN user is locked by user SAPJSF transaction KRNL from the local host (terminal).
  We have changed the pass in secure store in configtool to the pass we used in abap.
  In "Visual Administrator" "Cluster>Server>Services-->Security Provider" the user have a checked box at "No password change required"
  We searched for other places with a wrong pass (Jco Connections = no J2EE_ADMIN used, SLD = no J2EE_ADMIN used), but found nothing.
  need help pls.
  regards
  chris

• ABAP+JAVA System Copy -- Administrator account getting locked

  Hi,
  I am in the process of doing system copy of my portal to a new server. As per the SAP instructions, I had updated the JDK and SP levels of my EP to the latest supported ones.
  Now when i am doing JAVA Add-in Export of my system, SAPinst is throwing error that --
  "Error connecting to http://Entportal:50000/sap/monitoring/SystemInfoServlet. The provided user data might be incorrect or user might be locked.:
  and when I check the "administrator" user account, it is getting locked. Even though I manually unlock it and update the password is secure storage, still when I run SAPinst, again it is getting locked. I have also chnged the path of my temporary directory to c:\temp which has no spacees in it, according to SAP instructions.
  I have raised the issue through OSS, but still, in the mean time can sombody help me?
  Regards,
  Mandar

  Hi Akshay,
  I am not using any ID. SAPInst itself is trying to access systeminformationservlet using administrator account. at this stage it is failing to get the correct password and thats why my administrator account is getting locked.
  Regards,
  Mandar.

• Administrator User Account Locked

  Hi.
  I locked into my local portal with Admin user/pwd.
  It asks me to reset the pwd.
  I did it and I forgottenly given wrong password.
  When I tried to log in the portal with the Admin user/pwd, it is showing message as "Account Locked"
  Can anyone help on this issue.
  Regards
  Bala

  Hi Balachandar P,
  If you forgot or lock "Administrator or J2EE_ADMIN" password just follow below steps:
  <u><b>STEP-1: Enable "SAP*"</b></u>
  1.Start the Config Tool C:\usr\sap\<SID>\<engine-instance>\j2ee\configtool\configtool.bat
  Ex: D:\usr\sap\F02\JC00\j2ee\configtool --> configtool.bat
  2.Goto cluster-data --> Global server configuration --> services --> com.sap.security.core.ume.service
  3.Double-click on the property "ume.superadmin.activated = TRUE"
  4.Double-click on the property "ume.superadmin.password=<Enter any password ex: abc123>"
  5.Save.
  6.Restart the engine.
  <u><b>STEP-2: Login with "SAP*" into portal</b></u>
  1. http://<host>:<Port>/useradmin/index.jsp
  2. Enter userid / password as" SAP* / <password ex: abc123>"
  3. Search for "Administrator" user
  4. Reset or change password for "Administrtor"
  <u><b>STEP-3: Disable "SAP*"</b></u>
  1.Start the Config Tool C:\usr\sap\<SID>\<engine-instance>\j2ee\configtool\configtool.bat
  Ex: D:\usr\sap\F02\JC00\j2ee\configtool --> configtool.bat
  2.Goto cluster-data --> Global server configuration --> services --> com.sap.security.core.ume.service
  3.Double-click on the property "ume.superadmin.activated = FALSE"
  4.Save.
  5. Restart the engine.
  <u><b>STEP-4: Login with "Administrator"</b></u>
  1. http://<host>:<Port>/useradmin/index.jsp
  2. Enter userid / Password as "Administrator / <password>
  3. it will ask change password just change it.
  <b>Thanks,
  Nagaraju Parlapalli</b>

• User getting locked while sending message sync via BPM. Please help

  Hi Experts,
     I have a sync - sync scenario where I am sending data synchronously from webservice to a sync RFC FM. I am using BPM and in BPM I have three steps
  1. Receive step - Opens Sync-Async Bridge
  2. Sync Send step
  3. Send step - Closes SYnc-Async bridge.
  This BPM solution is same as that give in the blog https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/1403 [original link is broken] [original link is broken] [original link is broken]
  When I test this scenario I am getting
  <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="1">
  <SAP:Category>XIServer</SAP:Category>
  <SAP:Code area="INTERNAL">PL_TIMEOUT</SAP:Code>
  <SAP:P1 />
  <SAP:P2 />
  <SAP:P3 />
  <SAP:P4 />
  <SAP:AdditionalText />
  <SAP:ApplicationFaultMessage namespace="" />
  <SAP:Stack>Timeout condition of pipeline reached</SAP:Stack>
  <SAP:Retry>N</SAP:Retry>
  </SAP:Error>
  When I check the "Status monitor for Sync/Async communication" via SXMB_MONI, I found that my message is listed there with BPE status = "Wait".
  On double clicking my message I found that there is an error " User is locked. Please notify the person responsible".
  Why is my BPE struck in "Wait" stage and user is locked?
  What am I doing wrong? Am I missing any settings in SOAP sender communication channel?
  Please help me in resolving this problem.
  Regards
  Gopal

  Hi,
  Few months ago we had also problems with "locked user" in XI, in our case XIAPPLUSER was sometimes (b)locked.
  Perhaps note:
  721548 Changing the passwords of the XI 3.0 service users
  will help you.
  We removed and entered the service users again, with the password in CAPITALS and language blank.
  After that our problem was solved, I hope yours too.
  Regards
  Jack

• CUA SU10 issue with users getting locked

  I did some role change using SU10 on CUA central system for 200 users. 45 of the users got locked with global admin lock in the child system for which I made the role changes.  These user locks are shown in the child system change documents log as changes by the CUA RFC user. I have this problem everytime I use su10. Why does this happen?  What can I do about it? Thanks, KT

  Hi Todd,
  propably you have some inconsistencies in your landscape....
  the cause of such 'unwanted' effects is the fact that if you change a user in your CUA central system, the whole user information is picked, then edited with you changes and afterwards distributed to all child systems.
  So what I could imagine in your example is as follows:
  User has a global lock in central system already, the particular child system did not have that information (user is still unlocked there). Several causes are possible, for instance the lock idoc did not get processed, Child system was not available/connected to CUA when the lock had been set,......).
  At the next update of that user (assign a role), the lock information from the central system is pushed to that child.
  Why?
  Because the design is to assure data consistency between central and child system. Therefore all the user information from central system is pushed to child at any user change. (that is also why you will see in SCUL 3 idocs for each user change (also user and profile idocs are pushed, even if you have changed the role assignement only).
  So what you could check is, if that users got the lock flag (128) already in the past somewhen.
  b.rgds, Bernhard

• SLD User gets locked; four unsuccessful logons every 15 minutes

  I have a landscape with a PI with the SLD on it. I defined a user with the name SLDUSER and the appropriate authorizations. The PI is a Unicode system, like all systems in the landscape.
  There were already some application servers (CRM, Banking Services, Composition Environment) connecting to this SLD and everything went fine.
  Now I added another application server, an ERP, for FI-CAx (NW 7.02). As the business partners are distributed via XI through the PI system, the ERP needs to connect to the SLD, too.
  I set it up as usual:
  - sldapicust: host, port, SLDUSER, password. (What is weird is that there is no test button as in all the other systems ... maybe that depends on the installed EhPs.)
  - This generated the destinations (type T = TCP/IP) SLD_UC and SLD_NUC automatically.
  - I created destinations SAPSLDAPI and LCRSAPRFC manually in sm59, type T = TCP/IP, set them to Unicode, entered the same (two different) Registered Server Programs that are used in these destinations on all the other servers (CRM, PI, BaS).
  - I ran rz70, entered the host and gateway, activated, executed the data collection.
  SLDCHECK runs successfully on the ERP system!
  The technical system for the BS1 showed up in the SLD as expected.
  - I configured the clients / business systems on the SLD.
  Now begins the problem. The SLDUSER is now getting locked all the time! It's definitely the ERP system causing it - when I prevent it from accessing the PI (by changing the hosts file on the operating system), the problem stops.
  I activated everything critical related to logons and RFCs in sm19 and looked at the logs in sm20. This is what it looks like:
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Password check failed for user SLDUSER in client 001
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 1, Type = U)
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Password check failed for user SLDUSER in client 001
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 1, Type = U)
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Password check failed for user SLDUSER in client 001
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 1, Type = U)
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Password check failed for user SLDUSER in client 001
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 1, Type = U)
  17.08.2011     19:55:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Password check failed for user SLDUSER in client 001
  17.08.2011     19:55:04     BNK_RFC     ilbnkpi1          SAPMSSY1     User SLDUSER Locked in Client 001 After Erroneous Password Checks
  17.08.2011     19:55:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 1, Type = U)
  17.08.2011     19:55:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 53, Type = U)
  17.08.2011     19:55:05     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 53, Type = U)
  17.08.2011     19:55:05     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 53, Type = U)
  And it goes on like this. So what happens is this: Every 15 minutes, at :10, :25, :40, :55, there are four unsuccessful logons with SLDUSER. With the fifth logon it gets locked.
  Again:
  - This stops when I make the PI inaccessible to the ERP.
  - SLDCHECK still works completely fine in ERP - until the SLDUSER is locked, of course; then it stops working in all connected systems. It does not result in unsuccessful logons on the PI.
  - When I run rz70 on the ERP and run the data collection this also reports success and does not create unsuccessful logons on the PI.
  - I have not used the SLDUSER in any other locations besides sldapicust.
  So what the hell is wrong with this system?!

  I have created a separate user SLDUSER_ER1 just for use in the sldapicust in the new ERP system that causes the problem. Still SLDUSER is getting locked (not SLDUSER_ER1)!
  I powered down this ERP system ER1, just to make absolutely sure it is causing the problem - indeed the unsuccessful logon attempts every 15 minutes stopped right away.
  As a workaround and for narrowing down the problem I have created separate users SLDUSER_CR1 etc. for each of the other systems in the landscape (CRM and so on) - indeed those do not get any unsuccessful logon attempts.
  I have deleted all four SLD-related destinations in ER1 and recreated them from scratch (SLD_NUC and SLD_UC being generated when running rz70). I also used the "delete all batch jobs" button in rz70.
  Still, SLDUSER is getting locked.
  I checked on the PI system in C:\usr\sap\PI1\DVEBMGS00\j2ee\cluster\server0\log\system\httpaccess\responses_00.0.trc and see it is indeed the IP of the ERP system that gets the error 401 exactly at the times when the unsuccessful logon attempts occur:
  [Oct 2, 2011 2:46:06 PM   ] - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 [140]
  [Oct 2, 2011 2:46:06 PM   ] - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 [79]
  [Oct 2, 2011 2:46:06 PM   ] - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 [62]
  [Oct 2, 2011 2:46:06 PM   ] - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 [47]
  As the ERP has no Java instance and the sldapicust does not contain the SLDUSER (but the new SLDUSER_ER1) it is a mystery to me what it is that is still running every 15 minutes in the ERP and tries to use SLDUSER.
  I went through the entries in SECSTORE and could not find any use of SLDUSER (only of SLDUSER_ER1, as it should be).
  Edited by: Monika Eggers on Oct 2, 2011 3:08 PM

• APPS USER GETTING LOCK

  After changing password of APPS user, while accessing application, 'APPS' user is getting lock. Checked that 'password' of 'APPS_TO_APPS' and 'EDW_APPS_TO_WH' did not changed.
  Ran Autoconfig -still account is getting lock.

  Pl see if that APPS database account has a profile set. I believe ATG RUP4 add a profile to the APPS database account and after x number of unsuccessful logins, it locks the account, making the instance unusable. See ML Note 556761.1 that describes a related issue. If a profile is indeed set for the APPS account, pl remove it.
  HTH
  Srini

• User getting Locked after 1 day

  Hi All,
  I am facing an issue...a particular user in our SAP ECC 5.0 system is getting locked after every one day, I checked the configuration in SU01 but everything seems to be fine there.
  Please help regarding this issue.
  Thanks in Advance
  Regards,
  Prashant.

  Dear Prashant,
  Have you activated user trace.If yes then monitor that user ID.It wont be possible that only 1 particular user is getting locked (correct me if I am wrong).There can be a possibility that somebody is deliberately entering wrong password for his ID any other terminal.
  If you have activated user trace then you can easily monitor that user ID and even the terminals from where his ID has been accessed.
  PS: I might be wrong,so please update me with the latest.
  Regards,
  Ashutosh

• Administrator user is locked

  Hello Guys,
  My administrator userid is locked. I need to deploy some packages by using SDM.
  Please provide me the solution.
  Alex

  Try this link  http://help.sap.com/saphelp_nw70/helpdata/EN/ee/10df3d0eb8af5ee10000000a114084/frameset.htm
  =Kapil=

• Administrator user getting re-synchronized

  Hi Folks,
  Using Project On-Line, one of our users was getting removed from the Administrator security group where we had assigned him.  Note the Queue Job Type = "Synchronize Project Web App Permissions to Project Web
  App" happens every day at a little past 12am Redmond WA time.  And, the
  We do not use Active Directory. So, PWA > Server Settings > "Active Directory Enterprise Resource Pool Synchronization" is not used and/ or set.  I noticed that the Administrator security group was the only one that was reporting that
  it had been sync'ed at a time which coincided with the Queue info mentioned in previous paragraph.
  From the PWA > Server Settings > Manage Groups page, I checked "Active Directory Group Sync Options".  The "Enable Schedule Synchronization" option was selected.  Is this set by default?  I disabled it now. 
  If we manage our resources manually, is it safe to assume that this is the correct setting?
  The Administrator group page, had "Company Administrators" in its "Active Directory Group" field.  Is it there by default???  I cleared it and left it blank now.  Hopefully it won't do it again. 
  What perplexes me is that I had a half dozen other users assigned to the Administrator group, and only this one user is getting removed from the Administrators group.  Any reasons why that is?
  \Spiro Theopoulos PMP, MCITP. Montreal, QC (Canada)

  Hello,
  Yes in Project Online the Active Directory group sync is enabled by default and can be disabled - just make sure you never remove all the Admins and lock yourself out etc.! Company Admins is the default group synchronised with the Admin group. Maybe this
  user was not a Company Admin..
  Paul
  Paul Mather | Twitter |
  http://pwmather.wordpress.com | CPS |
  MVP | Downloads