Authority Check Failed

Similar Messages

• Web Service Homepage: Authority check failed

  Dear Colleagues,
  I have created a Web Service and now I want to test it via its Web Service Homepage (TA WSADMIN). The Homepage is displayed correctly, but testing leads to an error:
  Authority check failed
  Are there any prerequisites I maybe do not accomplish?
  (I tested a very similar web service in another system, and there it works)
  Here are some more information about my service:
  - Service was build with Web Service Wizzard out of a function module
  - Here you can see the conversation resulting of the test:
  POST /sap/bc/srt/rfc/sap/Z_TEST_Q73_CONFIG_WS?sap-client=003 HTTP/1.1
  Host: bsl8011.wdf.sap.corp:50073
  Content-Type: text/xml; charset=UTF-8
  Connection: close
  Cookie: <value is hidden>
  Cookie: <value is hidden>
  Authorization: <value is hidden>
  Content-Length: 381
  SOAPAction: ""
  <?xml version="1.0" encoding="UTF-8" ?>
  <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema">
  <SOAP-ENV:Body>
  <ns1:Z_TEST_WS_CONFIG xmlns:ns1='urn:sap-com:document:sap:rfc:functions'>
  <INPUT>TEST</INPUT>
  </ns1:Z_TEST_WS_CONFIG>
  </SOAP-ENV:Body>
  </SOAP-ENV:Envelope>
  HTTP/1.1 500 Internal Server Error
  content-type: text/xml; charset=utf-8
  content-length: 363
  sap-srt_id: 20060404/125124/v1.00_final_6.40/1B0831447838C429E10000000A424016
  server: SAP Web Application Server (1.0;700)
  <soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
  <soap-env:Body>
  <soap-env:Fault>
  <faultcode xmlns:n0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">n0:FailedAuthentication</faultcode>
  <faultstring xml:lang="e">Authority check failed</faultstring>
  </soap-env:Fault>
  </soap-env:Body>
  </soap-env:Envelope>
  The WSDL-Document looks as follows:
  <?xml version="1.0" encoding="utf-8"?><wsdl:definitions targetNamespace="urn:sap-com:document:sap:rfc:functions" xmlns:http="http://schemas.xmlsoap.org/wsdl/http/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="urn:sap-com:document:sap:rfc:functions" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><wsdl:types><xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:tns="urn:sap-com:document:sap:rfc:functions" targetNamespace="urn:sap-com:document:sap:rfc:functions" elementFormDefault="unqualified" attributeFormDefault="qualified"><xsd:simpleType name="char60"><xsd:restriction base="xsd:string"><xsd:maxLength value="60"/></xsd:restriction></xsd:simpleType><xsd:element name="Z_TEST_WS_CONFIG"><xsd:complexType><xsd:sequence><xsd:element name="INPUT" minOccurs="0" type="tns:char60"/></xsd:sequence></xsd:complexType></xsd:element><xsd:element name="Z_TEST_WS_CONFIGResponse"><xsd:complexType><xsd:sequence><xsd:element name="OUTPUT" type="tns:char60"/></xsd:sequence></xsd:complexType></xsd:element></xsd:schema></wsdl:types><wsdl:message name="Z_TEST_WS_CONFIG"><wsdl:part name="parameters" element="tns:Z_TEST_WS_CONFIG"/></wsdl:message><wsdl:message name="Z_TEST_WS_CONFIGResponse"><wsdl:part name="parameters" element="tns:Z_TEST_WS_CONFIGResponse"/></wsdl:message><wsdl:portType name="Z_TEST_Q73_CONFIG_WS"><wsdl:operation name="Z_TEST_WS_CONFIG"><wsdl:input message="tns:Z_TEST_WS_CONFIG"/><wsdl:output message="tns:Z_TEST_WS_CONFIGResponse"/></wsdl:operation></wsdl:portType><wsdl:binding name="Z_TEST_Q73_CONFIG_WSSoapBinding" type="tns:Z_TEST_Q73_CONFIG_WS"><soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/><wsdl:operation name="Z_TEST_WS_CONFIG"><soap:operation soapAction=""/><wsdl:input><soap:body use="literal"/></wsdl:input><wsdl:output><soap:body use="literal"/></wsdl:output></wsdl:operation></wsdl:binding><wsdl:service name="Z_TEST_Q73_CONFIG_WSService"><wsdl:port name="Z_TEST_Q73_CONFIG_WSSoapBinding" binding="tns:Z_TEST_Q73_CONFIG_WSSoapBinding"><soap:address location="http://bsl8011.wdf.sap.corp:50073/sap/bc/srt/rfc/sap/Z_TEST_Q73_CONFIG_WS?sap-client=003"/></wsdl:port></wsdl:service></wsdl:definitions>
  Can anyone help me, I have no Idea
  Message was edited by: Hans-Peter Bauer

  The message server defined in the SAP-Logon is us4278.wdf.sap.corp
  But the url of the web service starts with  http://us4185:58500/wsnavigator/jsps/explorer.jsp?description=WebServiceZ_TEST_Q73_CONFIG_WS
  But I think that's not the problem, is it? As I mentioned above the test page can be shown, but the after filling in the input parameters an pressing send, there appears the authorisation error.
  For better illustration I made some screenshots for you:
  1) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_OVERVIEW.gif
  2) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_TEST_INPUT_FORM.gif
  3) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_TEST_reqest_response.gif
  What can be wrong, if the error "n0:FailedAuthentication" appears?
  Regards,
  Peter
  Message was edited by: Hans-Peter Bauer

• Authority check failed in FT2

  I have tried to implement the PO create example as descriped in the document "Consuming Service Operations using SAP NetWeaver Studio". When I run the example I cannot create an order. I get the error "Authority check failed" when I try to run the example. I have entered the correct password, because, if the password is wrong I get a  (401) Unauthorized from the server.
  I have also tried to make a Webdynpro application which used the same service, with the same result.
  I have also tried with a collages user, which gave the same error.
  In the webgui for the FT2 system, it seems like the user does not have access to the PO create transaction (ME21).

  Hi,
  Which WAS should it be the I configured. The ESA or our own?
  I have configured our own WAS as described in the tutorial. Here I tried to set up the username and password and I was able to send the request.
  But I'm just accessing the test system and it is there I get the error.

• Reg: webservice - authority check failed

  hi friends
  i have created a Webservice for FM- BAPI_COMPANYCODE_GETLIST  . after creating that i have tested in the case then i found a error that
  "An error has occurred. Maybe the request is not accepted by the server :  Authority check failed "
  what are the necessary authority checks has to be done.
  Thanks & Regards
  suman

  Hi,
  Which WAS should it be the I configured. The ESA or our own?
  I have configured our own WAS as described in the tutorial. Here I tried to set up the username and password and I was able to send the request.
  But I'm just accessing the test system and it is there I get the error.

• Protocol of failed authority check - analogue to SU53

  Hello
  I'm looking for way to retrieve the last failed authority check when a user interacts with a WDA application. Transaction SU53 seems not to protocol such failed authority checks when executed in WDA runtime.
  Thanks,
  Mathias

  s

• Java ME 8 Permission check failed when opening a serial port

  I have a larger Jave ME8.1 application that was going well until I tried to add one last piece, reading and writing data from a serial port. This was left to last because it is trivial, at least in most programming languages. The is IDE NetBeans 8.0.2 running on a Windows 7 PC. The platform is a Raspberry Pi B or B+ (I have tried both) with the most current Raspbian (12/24/2014 I believe). To simplify the process I created a new app with just the open and close code and this generates the same error I am experiencing in the larger application. The program is as follows:
  package javamecomapp;
  import java.io.IOException;
  import java.io.InputStream;
  import java.io.OutputStream;
  import java.util.logging.Level;
  import java.util.logging.Logger;
  import javax.microedition.io.CommConnection;
  import javax.microedition.io.Connector;
  import javax.microedition.midlet.MIDlet;
  * @author ****
  public class JavaMEcomApp extends MIDlet {
      static int BAUD_RATE = 38400;
      static String SERIAL_DEVICE = "ttyAMA0";
      static CommConnection commConnection = null;
      static OutputStream os = null;
      static InputStream is = null;
      static String connectorString;
      private int rtnValue = -1;
      @Override
      public void startApp() {
          java.lang.System.out.println("Opening comm port.");
          try {
              rtnValue = JavaMEcomApp.openComm();
          } catch (IOException ex) {
              Logger.getLogger(JavaMEcomApp.class.getName()).log(Level.SEVERE, null, ex);
      @Override
      public void destroyApp(boolean unconditional) {
          java.lang.System.out.println("Closing comm port.");
          try {
              rtnValue = JavaMEcomApp.closeComm();
          } catch (IOException ex) {
              Logger.getLogger(JavaMEcomApp.class.getName()).log(Level.SEVERE, null, ex);
          private static int openComm()throws IOException {
              java.lang.System.out.println("Opening comm port.");
              connectorString = "comm:" + SERIAL_DEVICE + ";baudrate=" + BAUD_RATE;
              commConnection = (CommConnection)Connector.open(connectorString);
              is  = commConnection.openInputStream();
              os = commConnection.openOutputStream();
          return 0;
      private static int closeComm()throws IOException {
          java.lang.System.out.println("Closing comm port.");
              is.close();
              os.close();
              commConnection.close();
          return 0;
  If I comment out the JavaMEcomApp.openComm and closeComm lines it runs fine. When they are included, the following error is dumped to the Raspberry Pi terminal:
  Opening comm port.
  Opening comm port.
  [CRITICAL] [SECURITY] iso=2:Permission check failed: javax.microedition.io.CommProtocolPermission "comm:ttyAMA0;baudrate=38400" ""
  TRACE: <at java.security.AccessControlException: >, startApp threw an Exception
  java.security.AccessControlException:
  - com/oracle/meep/security/AccessControllerInternal.checkPermission(), bci=118
  - java/security/AccessController.checkPermission(), bci=1
  - com/sun/midp/io/j2me/comm/Protocol.checkForPermission(), bci=16
  - com/sun/midp/io/j2me/comm/Protocol.openPrim(), bci=31
  - javax/microedition/io/Connector.open(), bci=77
  - javax/microedition/io/Connector.open(), bci=6
  - javax/microedition/io/Connector.open(), bci=3
  - javamecomapp/JavaMEcomApp.openComm(), bci=46
  - javamecomapp/JavaMEcomApp.startApp(), bci=9
  - javax/microedition/midlet/MIDletTunnelImpl.callStartApp(), bci=1
  - com/sun/midp/midlet/MIDletPeer.startApp(), bci=5
  - com/sun/midp/midlet/MIDletStateHandler.startSuite(), bci=246
  - com/sun/midp/main/AbstractMIDletSuiteLoader.startSuite(), bci=38
  - com/sun/midp/main/CldcMIDletSuiteLoader.startSuite(), bci=5
  - com/sun/midp/main/AbstractMIDletSuiteLoader.runMIDletSuite(), bci=130
  - com/sun/midp/main/AppIsolateMIDletSuiteLoader.main(), bci=26
  java.security.AccessControlException:
  - com/oracle/meep/security/AccessControllerInternal.checkPermission(), bci=118
  - java/security/AccessController.checkPermission(), bci=1
  - com/sun/midp/io/j2me/comm/Protocol.checkForPermission(), bci=16
  - com/sun/midp/io/j2me/comm/Protocol.openPrim(), bci=31
  - javax/microedition/io/Connector.open(), bci=77
  - javax/microedition/io/Connector.open(), bci=6
  - javax/microedition/io/Connector.open(), bci=3
  - javamecomapp/JavaMEcomApp.openComm(), bci=46
  - javamecomapp/JavaMEcomApp.startApp(), bci=9
  - javax/microedition/midlet/MIDletTunnelImpl.callStartApp(), bci=1
  - com/sun/midp/midlet/MIDletPeer.startApp(), bci=5
  - com/sun/midp/midlet/MIDletStateHandler.startSuite(), bci=246
  - com/sun/midp/main/AbstractMIDletSuiteLoader.startSuite(), bci=38
  - com/sun/midp/main/CldcMIDletSuiteLoader.startSuite(), bci=5
  - com/sun/midp/main/AbstractMIDletSuiteLoader.runMIDletSuite(), bci=130
  - com/sun/midp/main/AppIsolateMIDletSuiteLoader.main(), bci=26
  Closing comm port.
  Closing comm port.
  TRACE: <at java.lang.NullPointerException>, destroyApp threw an Exception
  java.lang.NullPointerException
  - javamecomapp/JavaMEcomApp.closeComm(), bci=11
  - javamecomapp/JavaMEcomApp.destroyApp(), bci=9
  - javax/microedition/midlet/MIDletTunnelImpl.callDestroyApp(), bci=2
  - com/sun/midp/midlet/MIDletPeer.destroyApp(), bci=6
  - com/sun/midp/midlet/MIDletStateHandler.startSuite(), bci=376
  - com/sun/midp/main/AbstractMIDletSuiteLoader.startSuite(), bci=38
  - com/sun/midp/main/CldcMIDletSuiteLoader.startSuite(), bci=5
  - com/sun/midp/main/AbstractMIDletSuiteLoader.runMIDletSuite(), bci=130
  - com/sun/midp/main/AppIsolateMIDletSuiteLoader.main(), bci=26
  java.lang.NullPointerException
  - javamecomapp/JavaMEcomApp.closeComm(), bci=11
  - javamecomapp/JavaMEcomApp.destroyApp(), bci=9
  - javax/microedition/midlet/MIDletTunnelImpl.callDestroyApp(), bci=2
  - com/sun/midp/midlet/MIDletPeer.destroyApp(), bci=6
  - com/sun/midp/midlet/MIDletStateHandler.startSuite(), bci=376
  - com/sun/midp/main/AbstractMIDletSuiteLoader.startSuite(), bci=38
  - com/sun/midp/main/CldcMIDletSuiteLoader.startSuite(), bci=5
  - com/sun/midp/main/AbstractMIDletSuiteLoader.runMIDletSuite(), bci=130
  com/sun/midp/main/AppIsolateMIDletSuiteLoader.main(), bci=26
  I have tried this with three different serial ports, /dev/ttyAMA0 (yes I did disable the OS from using it), an arduino board /dev/ttyACM0, and a USB to RS485 adaptor /dev/ttyUSB0. All of these ports could be connected and use normally with both a C program and terminal program in the Pi. The API Permissions were set in the project properties / Application Descriptor / API Permissions to jdk.dio.DeviceMgmtPermission "/dev/ttyAMA0". This of course was changed as I tested different devices.
  I found a reference suggesting adding the line "authentication.provider = com.oracle.meep.security.NullAuthenticationProvider" to the end of the jwc_properties.ini file. This had no effect. I found references that during development in eclipse and NetBeans, the app is already elevated to the top level so this should not be an issue until deployment. This does not appear to be the case.
  I am out of time and need a solution quickly. Any suggestions are welcome.

  Terrence,
     Thank you for responding and confirming the issues I'm having with static addressing.  As far as the example above, I do have the standard LEDs working correctly, however, the example I'm referring to above is from the JavaME samples using the GPIO Port for the LEDS, according to the Device I/O Preconfigured List you referenced:
  GPIO Ports
  The following GPIO ports are preconfigured.
  Devicel ID
  Device Name
  Mapped
  Configuration
  8
  LEDS
  PTB22
  PTE26
  PTB21
  direction = 1 (Output only)
  initValue = 0
  GPIOPins:
  controllerNumber = 1
  pinNumber = 22
  mode = 4 (Push-pull mode)
  controllerNumber = 4
  pinNumber = 26
  mode = 4 (Push-pull mode)
  controllerNumber = 1
  pinNumber = 21
  mode = 4 (Push-pull mode)
  So is the assumption that using GPIOPort for accessing the GPIO port for Device ID 8 as listed in the Device I/O Preconfigured list not supported?

• EMC - Certificate status could not be determined because revocation check failed.

  I've exhausted my resources on this issue and am reaching out for some assistance. I have setup Server 2008 R2 Enterprise SP1, running Exchange 2010 SP1. In EMC I have successfully imported a GoDaddy SSL certificate. Although I am receiving the message -
  "The certificate status could not be determined because the revocation check failed."
  Here are the steps I've taken to troubleshoot this so far:
  [PS] C:\Users\Administrator\Desktop>netsh winhttp show proxy
  Current WinHTTP proxy settings:
  Direct access (no proxy server).
  As you can see, direct access. Which is true, no proxy's on this network.
  For good measure, I'll dump the urlcache.
  certutil -urlcache ocsp delete
  certutil -urlcache crl delete
  Both return 0, reboot server.
  Comes back up, same message in EMC.
  From PS, I test exactly what its getting from GoDaddy.
  [PS] C:\Users\Administrator\Desktop>certutil -f -urlfetch -verify mail.fluxlabs.net.crt
  Issuer:
  SERIALNUMBER=07969287
  CN=Go Daddy Secure Certification Authority
  OU=http://certificates.godaddy.com/repository
  O=GoDaddy.com, Inc.
  L=Scottsdale
  S=Arizona
  C=US
  Subject:
  CN=mail.fluxlabs.net
  OU=Domain Control Validated
  O=mail.fluxlabs.net
  Cert Serial Number: 27b60918638e0d
  dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
  dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
  dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
  dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
  dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
  ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
  HCCE_LOCAL_MACHINE
  CERT_CHAIN_POLICY_BASE
  -------- CERT_CHAIN_CONTEXT --------
  ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=S
  cottsdale, S=Arizona, C=US
  NotBefore: 8/20/2011 7:49 PM
  NotAfter: 8/20/2012 7:16 PM
  Subject: CN=mail.fluxlabs.net, OU=Domain Control Validated, O=mail.fluxlabs.net
  Serial: 27b60918638e0d
  SubjectAltName: DNS Name=mail.fluxlabs.net, DNS Name=www.mail.fluxlabs.net
  33 49 57 5d 6e d8 6b aa b9 61 73 95 44 07 c9 2e 55 6e 47 10
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ---------------- Certificate AIA ----------------
  Verified "Certificate (0)" Time: 4
  [0.0] http://certificates.godaddy.com/repository/gd_intermediate.crt
  ---------------- Certificate CDP ----------------
  Expired "Base CRL (05)" Time: 4
  [0.0] http://crl.godaddy.com/gds1-55.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  Expired "OCSP" Time: 4
  [0.0] http://ocsp.godaddy.com/
  CRL (null):
  Issuer: CN=Go Daddy Validation Authority, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
  e5 53 19 6c 54 87 8c 62 23 1b b9 11 e1 d8 3d 3f b2 04 77 3f
  Issuance[0] = 2.16.840.1.114413.1.7.23.1
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  NotBefore: 11/15/2006 8:54 PM
  NotAfter: 11/15/2026 8:54 PM
  Subject: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=
  Scottsdale, S=Arizona, C=US
  Serial: 0301
  7c 46 56 c3 06 1f 7f 4c 0d 67 b3 19 a8 55 f6 0e bc 11 fc 44
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  No URLs "None" Time: 0
  ---------------- Certificate CDP ----------------
  Verified "Base CRL" Time: 4
  [0.0] http://certificates.godaddy.com/repository/gdroot.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  Expired "OCSP" Time: 4
  [0.0] http://ocsp.godaddy.com
  CRL (null):
  Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  da 1e d5 63 5c 05 58 50 4e db d2 4e e8 9d 28 9d c4 36 b3 1e
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
  CertContext[0][2]: dwInfoStatus=109 dwErrorStatus=0
  Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  NotBefore: 6/29/2004 12:06 PM
  NotAfter: 6/29/2034 12:06 PM
  Subject: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  Serial: 00
  27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4
  Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  No URLs "None" Time: 0
  ---------------- Certificate CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
  Exclude leaf cert:
  b1 04 4b 90 a1 d3 48 de 46 bd d7 50 20 e3 44 b8 3f 68 39 f7
  Full chain:
  68 36 4d 37 2e 96 bd d2 aa 77 3f d0 e8 78 a9 e6 68 bd 7d 71
  Verified Issuance Policies:
  2.16.840.1.114413.1.7.23.1
  Verified Application Policies:
  1.3.6.1.5.5.7.3.1 Server Authentication
  1.3.6.1.5.5.7.3.2 Client Authentication
  Cert is an End Entity certificate
  ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was
  offline. 0x80092013 (-2146885613)
  CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
  CertUtil: -verify command completed successfully.
  As you can see, the "revocation server is offline."
  So I run the same test from another server on the LAN.
  Verified Issuance Policies:
  2.16.840.1.114413.1.7.23.1
  Verified Application Policies:
  1.3.6.1.5.5.7.3.1 Server Authentication
  1.3.6.1.5.5.7.3.2 Client Authentication
  Cert is an End Entity certificate
  Leaf certificate revocation check passed
  CertUtil: -verify command completed successfully.
  It passes. The server's firewall has been disabled. DNS cache has been cleared. I have verified everything I can, and still failing to verify.

  [PS] C:\Users\Administrator\Desktop>Get-ExchangeCertificate |fl
  AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.Acces
  trol.CryptoKeyAccessRule}
  CertificateDomains : {mail.fluxlabs.net, www.mail.fluxlabs.net}
  HasPrivateKey : True
  IsSelfSigned : False
  Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy
  , Inc.", L=Scottsdale, S=Arizona, C=US
  NotAfter : 8/20/2012 7:16:57 PM
  NotBefore : 8/20/2011 7:49:30 PM
  PublicKeySize : 2048
  RootCAType : ThirdParty
  SerialNumber : 27B60918638E0D
  Services : IMAP, POP, IIS, SMTP
  Status : RevocationCheckFailure
  Subject : CN=mail.fluxlabs.net, OU=Domain Control Validated, O=mail.fluxlabs.net
  Thumbprint : 3349575D6ED86BAAB96173954407C92E556E4710
  [PS] C:\Users\Administrator\Desktop>Enable-ExchangeCertificate -Thumbprint 3349575D6ED86BAAB96173954407C92E556E4710 -Services POP,IMAP,SMTP,IIS
  The command has already been executed. Yes, I have seen those sites. Neither have worked. Like I said, it is directly connected; and no proxies are set.
  -- Jeremy MCSpadden Flux Labs

• AUTHORITY-CHECK & customized program

  Hi,
  I've applied an authority-check to my customized program. What I did was, I've created an authorization object name 'ZFI_PGRM' in SU21 and tie it with authorization fields BUKRS, ACTVT. This authority-check will validate on the company code (BUKRS) entered from the selection screen. Below are my lines in the customized program :
  DATA: text      TYPE string,
            m_text  TYPE string.
  text = 'You are not authorised for Company Code'.
  DATA: t_t001 LIKE t001 OCCURS 0 WITH HEADER LINE..
  SELECT * FROM t001
         INTO TABLE t_t001
               WHERE bukrs IN s_bukrs.
  LOOP AT t_t001.
    AUTHORITY-CHECK OBJECT 'ZFI_PGRM'
        ID 'BUKRS' FIELD t_t001-bukrs
        ID 'ACTVT' FIELD '03'.
    IF sy-subrc <> 0.
      CONCATENATE text t_t001-bukrs INTO m_text SEPARATED BY space.
    ENDIF.
  ENDLOOP.
  At the same time BASIS tie the autorization object 'ZFI_PGRM' to the user role in order to access the program using PFCG. The problem now is the result that I'm getting always SY-SUBRC = 12 eventhough the user is allowed to access the company's report. Please help...
  Haryati

  Run transaction SU53 after the auth check fails and maybe it will give you a clue as to what is going on.

• User role and Authority-check ?

  Hello,
  Could you please let me know how are the differences between User role and Authority-check. In a program I do not use Authority-check , And The user is not assigned to user role which contain this transaction ( for this program), Can the user execute this transaction OR he must be assigned to user role which contain this transaction to execute it . Supposing that we do not use any Authority-check in then program.
  Thanks in advance

  Hello Martin,
  I think this answers the OP's question about user not being assigned the role which contains the trxn code. As you have explained in this case the default auth. check for S_TCODE will fail & user cannot execute the trxv. (If i remember correctly the tables for this are AGR_USERS & AGR_TCODES)
  Anyways just to add to the OP's query. Auth. objects are added to profiles which in turn assigned to roles. So if you implement the auth. object in your program the user must also subscribe to the role containing the auth. obj. profile to be able to execute it.
  @OP:
  The transactions PFCG & SUIM might interest you. Also the tables dealing with these stuffs begin with AGR*. You can check the tables for better understanding.
  BR,
  Suhas

• Analize authority checks in web dynpro processing

  Hi,
  I'm facing strange things here.
  A user was reported not to be able to successfully use a function provided in our system:
  We provide a function for use of our call center agents that will reprocess and output document and send it by mail to the customer. It looks as if it worked but the mail is not sent.
  I started SE80 with my own user and put some external breakpoints in the webdynpro code for the agents username. Then I started the webdynpro application by entering the URL into the browser and logging in with the agent's credentials.
  On my first try, the debugger started ehen the external breakpoint was reached. SY-UNAME was the agent's name but everything went fine.
  Obviously the authority checks where done for my own user although there was a different sy-uname.
  I logged off completely and started a second time. I used my owner user to set the external breakpoints because the agent's user has no rights for development, just restricted to a couple of roles.
  This time I got a rabax state error - the dump was caused because the agent's user does not have authority for debug. The rabax error shoed me the call hierarchy and pointed to the method where I set the external breakpoint.
  So, is the any way to come close to the code where authorization check fails?
  Or - which we could try: What are the roles/profiles for use of SAPOFFICE? (in SU53, we can see failed checks, but it looks strange as there are failed authority-checks for ...ADMIN - dont know exactly because now I', home and don't have remote access).
  Good ideas always welcome!
  Note: Nobody knows why this function is implemented in Webdynpro but we have to live with it and get it working for this group of agents.
  Regards
  Clemens

  Traditionally I would probably have used ST01 with the "Authorization check" option and general filters to log which authority checks are working / failing.
  But now I quite like using ST05 (SQL Trace) instead as drilldown to the code is available ... you can tick the "Buffer Trace" option and "Activate Trace with Filter" to log the other user's calls - this will then display lots of references to tables USOBX_C and USRBF2 - drilling to the code on these usually gives you the "authority-check object 'xyz' .." details.
  Jonathan

• How to debug a authority check in program and a authorisation object in tco

  Can anyone tell me how to debug a authority check in program and a authorisation object in tcode
  i just want to know the flow of authorisation object in debugging how user is assocaited with authorisation object and roles.
  i know if sy-subrc ne 0 is authorisation failed ,so please help me anyone on this.
  every time when i put breakpoint ,if its program level only, i am able to decide only through sy-subrc but iam unable o view the flow .

  flow cannot be seen, we have to be based on sy-subrc only...
  you cannot see the flow in read table... describe table... transfer...
  the authorization object will be assigned to the data element, that data element has some realtion to the roles given to the users. So if the role of the user and data element value doesnt match the sy-subrc NE 0.

• Urgent! Problem with authority-check

  Hi all,
  I encounter some wierd scenario with authority-check.
  I try to run IW41 (create order confirmation) and the following authority-check
  AUTHORITY-CHECK OBJECT 'C_AFKO_ATY'
         ID 'ACTVT' FIELD TMP_ACTVT
         ID 'AUTYP' FIELD ACT_AUTYP.
    IF NOT SY-SUBRC IS INITIAL.
      MESSAGE E124 WITH SY-TCODE RAISING MISSING_AUTHORITY.
    ENDIF.
  was successful. However, when i try to run the FM CO_RI_CONFIRMATION_CREATE (use to create order confirmation), the exact same code is run and when i reach the above authority-check, it fails even if all the variable passed to the check is the same.
  How can this happen? I need some help. Very urgent.

  Hi Mil,
  Check the values of TMP_ACTVT and ACT_AUTYP for both the cases.
  May be they are different.
  Reward points if useful.
  Regards,
  Atish

• ADFC-0619: Authorization check failed

  I am running JDeveloper 11.1.2.4
  ADF Security is enabled for the application.
  Security model is ADF Authentication and Authorization.
  I have created roles for employee, manager and admin.
  The roles are used to hide/display menu items and to allow/disallow access to task flows.
  I have dozens of task flows and this approach has worked well for some time.
  I added a new task flow that is accessible only to the admin role. The menu item is rendered only if the user is in the admin role. View access to the task flow is only granted to the admin role.
  As with new task flows in the past, I created and deployed an .ear file on my stand alone WLS. I then tested the functionality. This works as expected.
  I then gave the .ear file to our system admin to deploy on the sun server WLS. The deployment went fine but when I log in as an admin user and try to access the new menu item and task flow, the menu item is rendered but it says that the user is not authorized for the task flow.
  ADFC-0619: Authorization check failed: '/WEBINF/PlnDollarsSpentLineGraphTF.xml#PlnDollarsSpentLineGraphTF' 'VIEW'.
  Since the menu item is rendered I know that the user is assigned to the admin group. Access to all other menu items and task flows in the application is correct. Only having a problem with the new task flow.
  It would appear that the problem is with the .ear file rather than WLS. However, it works fine on my stand alone WLS and I looked at the jazn-data.xml file in the .ear file. It looks normal. The entry for the task flow looks like all the other task flow entries.
  Any ideas?
  Thanks for your help, Steve

  I examimed the system-jazn-date.xml file and found that the entry for the new task flow did not make it from the jazn-data.xml file into the system-jazn-data.xml file. I had the server system administrator do the deploy a second time. This time the system-jazn-date.xml file was updated properly and the new functionality is working.
  If anyone has an idea why system-jazn-date.xmp did not get updated in the first deployment I would be very interested.
  Thanks, Steve

• Authority Check on Table - Restrict Entries based on check

  Hi,
  I need to add an authorization check to a table.
  The check will restrict certain entries from displaying, based on the check of some table fields.
  The table is custom and I know which authority object to use, as well as which fields to restrict.
  How do I do this?
  Thanks!

  Hi N.,
  select all data into internal table, loop at the table, do authority check for each table, delete records that fail authority check, display results.
  Or use SELECT INTO structure, check authority , append if authority check is OK (SY-SUBRC = 0), ENDSELECT, then display.
  Try which way is better based on memory requirement and performance.
  I hope this answer will help you. If not, feel free to ask for details.
  Regards,
  Clemens

• Online certificate check failed

  I downloaded viber a while ago on my nokia 5230 and it was working perfectly. Recently when I opened viber on my phone I received a message saying that there s a new version of viber available on ovi store that I should get. Which I did. But when updating viber my phone says online certificate check failed. And the installation stops there. What does that mean? Can someone please help? This is highly frustrating. Almost smashed my phone because of that. Please help.
  Solved!
  Go to Solution.

  Tasha0190 wrote:
  I received a message saying that there s a new version of viber available on ovi store that I should get. Which I did.
  I guess, you used this item.
  Although scoobyman’s answer solves this issue, it opens up your Nokia to viruses and other bad applications. Signing makes sure, the author of the app is the one he claims to be. Signing makes the author responsible for what he does. If an author does something bad, his certificates gets revoked. OCSP makes sure, the signature is still good. Therefore, revert these two settings, after you installed an app you are trusting.
  Furthermore, an application from the Nokia Store should work with any setting. Any error or warning message is not acceptable and should be forwarded to the Nokia Store team for further analysis.
  a) Menu » Settings » Installations » Installations settings » Software installation
  The state of this item does not matter because Viber is signed correctly. Therefore, ‘Signed only’ works for Viber and is recommend.
  b) Menu » Settings » Installations » Installations settings » Online certificate check (OCSP)
  The state of this item does matter. Therefore, please, set is at least to ‘On’. In Wireshark, I checked that the certificate is not revoked but good. Therefore, I have no idea what is wrong here. It this not normal.
  Conclusion:
  Set ‘Online certificate check’ from ‘must be passed’ to ‘On’. If you still get the installation security warning ‘Unable to verify supplier’, report this to the Nokia Store team for further investigation.
  Change ‘Software installation’ from to ‘off’ only when you are absolutely trusting that app. Revert ‘Software installation’ to ‘signed only’ after the installation of that single particular app.