Configuring smb authentication protocol

Similar Messages

• An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP).

  Hello everyone:
  I know this question have been asked in these forums quite a few times. I apologize if it is a repeat telecast but I was not able to find a suitable solution pertaining to my problem.
  I have a AP/SM setup that is configured to get EAP-PEAP authentication from Windows 2012 Server. I have setup everything and have verified that the EAP-PEAP authentication works fine on AP/SM by getting authentication from FreeRADIUS server. Now, when I try
  to get authentication from Windows Server, I am getting a reject. The Event log shows this generic message:
  Reason Code: 23
  Reason:
      An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
  There is nothing in the EAP logs that is obvious too:
  "USIL01PMPTST01","IAS",07/11/2014,11:59:44,1,"SANDBOX\test","SANDBOX\test",,,,,,"10.120.133.10",5,0,"10.120.133.10","Canopy_AP",,,18,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1
  07/11/2014 00:05:57 4927",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
  "USIL01PMPTST01","IAS",07/11/2014,11:59:44,11,,"SANDBOX\test",,,,,,,,0,"10.120.133.10","Canopy_AP",,,,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1 07/11/2014 00:05:57 4927",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
  "USIL01PMPTST01","IAS",07/11/2014,11:59:44,1,"SANDBOX\test","SANDBOX\test",,,,,,"10.120.133.10",5,0,"10.120.133.10","Canopy_AP",,,18,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1
  07/11/2014 00:05:57 4928",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
  "USIL01PMPTST01","IAS",07/11/2014,11:59:44,11,,"SANDBOX\test",,,,,,,,0,"10.120.133.10","Canopy_AP",,,,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1 07/11/2014 00:05:57 4928",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
  "USIL01PMPTST01","IAS",07/11/2014,11:59:44,1,"SANDBOX\test","SANDBOX\test",,,,,,"10.120.133.10",5,0,"10.120.133.10","Canopy_AP",,,18,,,,11,"PEAP_TEST",0,"311 1 10.120.133.1
  07/11/2014 00:05:57 4929",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
  "USIL01PMPTST01","IAS",07/11/2014,11:59:44,3,,"SANDBOX\test",,,,,,,,0,"10.120.133.10","Canopy_AP",,,,,,,11,"PEAP_TEST",23,"311 1 10.120.133.1 07/11/2014 00:05:57 4929",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
  So, basically, the sequence is this:
  request , challenge, request , challenge, request, reject
  Any idea what might be happening?
  Thank you.

  Hi,
  Have you installed certificates on the NPS server properly? Have you selected the proper certificate in the properties of PEAP?
  Here is an article about the Certificate requirements of PEAP,
  Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS
  http://support.microsoft.com/kb/814394
  If your certificate matches the requirement, you may try to reinstall the certificate by export and import.
  To export a certificate, please follow the steps below,
  Open the Certificates snap-in for a user, computer, or service.
  In the console tree under the logical store that contains the certificate to export, click
  Certificates.
  In the details pane, click the certificate that you want to export.
  On the Action menu, point to
  All Tasks, and then click Export.
  In the Certificate Export Wizard, click No, do not export the private key. (This option will appear only if the private key is marked as exportable and you have access to the private key.)
  Provide the following information in the Certificate Export Wizard:
  Click the file format that you want to use to store the exported certificate: a DER-encoded file, a Base64-encoded file, or a PKCS #7 file.
  If you are exporting the certificate to a PKCS #7 file, you also have the option to include all certificates in the certification path.
  If required, in Password, type a password to encrypt the private key you are exporting. In
  Confirm password, type the same password again, and then click
  Next.
  In File name, type a file name and path for the PKCS #7 file that will store the exported certificate and private key. Click
  Next, and then click Finish.
  To import a certificate, please follow the steps below,
  Open the Certificates snap-in for a user, computer, or service.
  In the console tree, click the logical store where you want to import the certificate.
  On the Action menu, point to
  All Tasks, and then click Import to start the Certificate Import Wizard.
  Type the file name containing the certificate to be imported. (You can also click
  Browse and navigate to the file.)
  If it is a PKCS #12 file, do the following:
  Type the password used to encrypt the private key.
  (Optional) If you want to be able to use strong private key protection, select the
  Enable strong private key protection check box.
  (Optional) If you want to back up or transport your keys at a later time, select the
  Mark key as exportable check box.
  Do one of the following:
  If the certificate should be automatically placed in a certificate store based on the type of certificate, click
  Automatically select the certificate store based on the type of certificate.
  If you want to specify where the certificate is stored, select
  Place all certificates in the following store, click
  Browse, and choose the certificate store to use.
  If issue persists, you may try to re-issue the certificate.
  For detailed procedure, you may refer to the similar threads below,
  Having issues getting PEAP with EAP-MSCHAP v2 working on Windows 2008 R2
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/c66cf0a8-24dd-4ccd-b5bb-16bd28ad8d4c/having-issues-getting-peap-with-eapmschap-v2-working-on-windows-2008-r2?forum=winserverNAP
  Hope this helps.
  Steven Lee
  TechNet Community Support

• Configure Certificate Authentication.

  I'm configuring a SOAP adapter (receiver) and in the SAP Doc Libray this is what it says to use a certificate :
  If the server requests a certificate from the client, set the indicator Configure Certificate Authentication.
  ¡        Specify the Keystore Entry.
  ¡        Specify the Keystore View.
  Problem is this indicator doesn't even show up in my adapter communication channel!
  Has anyone had this issue?
  Thanks - Andrew

  Hi Andrew,
  have you got XI with SP13?
  this is a feature available only from SP13:
  Receiver SOAP Adapter
  You can now configure a certificate authentication for the HTTPS and SMTPS transport protocols.
  if you want to check you SP level
  open IR or ID then <b>Help</b> menu and choose <b>Information</b>
  if your SP is lower then you'll have to update your XI
  Regards,
  michal

• A certificate could not be found that can be used with this extensible authentication protocol in PEAP policy config

  Windows 2003 enterprise
  AD DC, DNS, DHCP, CA and IAS all are running from single server. But at the time of configuration of Remote Access Policy the error message of "a certificate could not be found that can be used with this extensible authentication protocol" is appeared.
  So with the help of mmc snap in the certificate was requested from CA (Domain Controller template)as a new certificate request and placed in the local computer personal folder. 
  After placing the certificate the error message was disappeared during configuring PEAP. 
  But after sometime the certificate was disappeared from remote access policy. But the same imported certificate was present in personal folder.
  What is reason for frequent disappearing?
  How to manage the situation?

  Hi,
  I think the cause is that the DomainControllerAuthentication certificate has superseded the
  DomainController certificate which is chosen during the setup of IAS.
  To avoid this, if you’re going to install IAS on a Domain Controller, the DC should be made to enroll for a separate certificate from the template
  'RAS and IAS Servers' before the IAS server is installed and this certificate should then be chosen for any PEAP setup.
  Further details:
  Enrolling Certificates with Templates
  http://technet.microsoft.com/en-us/library/dd197527(v=WS.10).aspx
  Configure the server certificate template
  http://technet.microsoft.com/en-us/library/cc755043(v=WS.10).aspx
  Steven Lee
  TechNet Community Support

• The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server

  wireless authentication not working 
  I found the following in the radius
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          1/15/2014 2:07:57 AM
  Event ID:      6273
  Task Category: Network Policy Server
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:     NAP01.test.local
  Description:
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
   Security ID:   doamin \user.a
   Account Name:   user.a
  Client Machine:
   Security ID:   NULL SID
   Account Name:   -
   Fully Qualified Account Name: -
   OS-Version:   -
   Called Station Identifier:  00-0F-7D-C4-45-20:staff
   Calling Station Identifier:  0C-74-C2-EF-Dd-0B
  NAS:
   NAS IPv4 Address:  192.168.9.10
   NAS IPv6 Address:  -
   NAS Identifier:   -
   NAS Port-Type:   Wireless - IEEE 802.11
   NAS Port:   497
  RADIUS Client:
   Client Friendly Name:  wcont1
   Client IP Address:   192.168.9.10
  Authentication Details:
   Connection Request Policy Name: Wireless
   Network Policy Name:  wism
   Authentication Provider:  Windows
   Authentication Server:  NAP01.test.local
   Authentication Type:  EAP
   EAP Type:   -
   Account Session Identifier:  -
   Logging Results:   Accounting information was written to the local log file.
   Reason Code:   22
   Reason:    The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
  Please help

  Hi,
  Anything updates?
  In addition, this issue may also because your client didn't have CA certificate of your domain. Please make sure that your client has CA certificate.
  Besides, the error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server" may be due to that the default maximum transmission unit that NPS uses for EAP payloads is 1500
  bytes. You can lower the maximum size that NPS uses for EAP payloads by adjusting the Framed-MTU attribute in a network policy to a value no greater than 1344:
  Configure the EAP Payload Size
  Best regards,
  Susie

• Configuring the authentication scheme for a web application

  Hi all,
  We have a requirement to configure the authentication scheme for a web application where some set of users should access the application using basic LDAP (userid/password) authentication and some using digital certificate authentication.
  Since the deployment descriptor (web.xml) allows only one directive for auth-method in logic-config, we want to know if there is any other way to achieve this requirement. We are thinking of a custom login module approach. But we are not able to figure out how to configure the auth-method at runtime from the login servlet.
  Please let us know if there is any other approach to achieve this.
  I will be thankful if any body shares any specific solution to this issue.

  This forum is probably not the correct one to ask in. It's more related to the web container than Java Programming.
  Kaj

• Windows Server 2012 R2 wouldn't response SMB Negotiate Protocol Request

  Hello
  I've got an windows 2012 r2 as a file server,  it worked fine with windows client but not with lunix-based client
  I first discovered this problem on an Android phone:http://social.technet.microsoft.com/Forums/en-US/b3a8a7f9-f4b7-4b9f-b586-2ec87fc14d71/cant-access-shared-folders-on-win-2012-r2-with-android-phone?forum=winserverPN
  then I did some test on a newly installed lunix OS on a VM today, I found that my server do not response SMB Negotiate Protocol Request from my phone or the testing OS at all.
  when I try smbclient -L ServerIP, I get
  read_socket_with_timeout: timeout read. read error = Connection reset by peer.
  Receiving SMB: Server stopped responding
  protocol negotiation failed
  the wireshark capture are like this:
  35 22.704658
  192.168.1.20 192.168.1.10
  SMB 260
  Negotiate Protocol Request
  36 22.704745
  192.168.1.10 192.168.1.20
  TCP 54
  microsoft-ds → 41733 [RST, ACK] Seq=1 Ack=195 Win=0 Len=0
  37 23.090116
  192.168.1.20 192.168.1.10
  TCP 74
  41734 → microsoft-ds [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=8758786 TSecr=0 WS=16
  38 23.090237
  192.168.1.10 192.168.1.20
  TCP 74
  microsoft-ds → 41734 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 TSval=5473099 TSecr=8758786
  39 23.090382
  192.168.1.20 192.168.1.10
  TCP 66
  41734 → microsoft-ds [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=8758787 TSecr=5473099
  I don'tknow what's causing this problem ,is there anyone could help me?

  Hi,
  If you access files stored on Windows Server 2012 R2 from other non-Windows client computers, you need to use NFS protocol.
  Using the NFS protocol, you can transfer files between computers running Windows and other non-Windows operating systems, such as Linux or UNIX.
  In Windows Server 2012, NFS includes the components, Server for NFS and Client for NFS. Server for NFS enables a computer running Windows Server 2012 to act as a NFS file server for other non-Windows client computers. Client for NFS enables a Windows-based
  computer that is running Windows Server 2012 to access files that are stored on a non-Windows NFS server.
  For more detailed information, please refer to the articles below:
  Network File System Overview
  http://technet.microsoft.com/en-us/library/jj592688.aspx
  Server for Network File System First Share End-to-End
  http://blogs.technet.com/b/filecab/archive/2012/10/08/server-for-network-file-system-first-share-end-to-end.aspx
  Regards,
  Mandy
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Error while configuring SAP authentication in CMC adn Win XP PRO

  Hi,
  I am new to Business Objects and i was installing the Business Objects integartion Kit for SAP.
  I have already installed Crystal Server 2008 and copied the SAP Jco to the specified folders.But whiling trying to configure the SAP authenticatuion, I keep getting the TOMCAT error. I unistalled and reinstalled again. Still not working
  Note: My Operating System is Windows XP.
  Appreciate any suggestions
  Regards,
  Biju

  Hello All,
  I reinstalled it again based on the link BusinessObjects and SAP - Configure SAP Authentication from Ingo Hilgefort and all are working as expected.
  Now I have a different problem, My Company does not intent to go for a portal at this time, but is considering using formatted reports using crystal reports. What are the other options available for the users to access these reports? For instance all the bex users have Bex Analyser installed on each client machine, do we have anything similar for Crystal reports.
  Any help is greatly appreciated.
  Regards,
  Biju

• Configure User Authentication on SOAP Receiver Adapter

  Hi,
  I am calling a WebService that is available over the internet.  We are on PI 7.1 and I am using a Soap Receiver Adapter.  The configuration was downloaded from SAP in a partner package.  The development in the package was done on XI3. 
  I need to call the WS with user authentication.  I've selected the "Configure User Authentication" radio button and entered the username and password.  The message fail with "HTTP 401 Unauthorized" and it is because the user details are not being send from the adapter.  If I copy the XML payload to a XML tool, like Stylus Studio, I can call the webservice successfully.  I've read through numerous blogs and messages on this Forum, including adding the adapter module (MessageTransformBean) and changing the Conversion Parameters without any luck. 
  Any suggestions please?
  Thanks

  I am calling a WebService that is available over the internet.
  I copy the XML payload to a XML tool, like Stylus Studio, I can call the webservice successfully.
  normally the webservices that we use (from internet) are freely available...meaning they dont require any username/ password.
  if no credentials are required then do not select Configure User Authentication...uncheck it....if user-details are provided by the Webservice, then use these details (not your XI/ PI user details) in the channel.
  Are you using any user-name/ password while testing from SOAP tools?
  Regards,
  Abhishek.

• Configure Client Authentication for Receiver SOAP Adapter

  Hi,
  Can you please tell me what i should give in receiver soap channel for KeyStoreEntry and KeyStoreView after checking Configure Client Authentication checkbox,as I have got certificate from third party.
  Thanks in advance
  Best Regards,
  Harleen Kaur Chadha

  Hi,
  Keystore Entry:
  Login to Visual Admin --> Server --> Services --> KeyStorage --> TrustedCAs --> Load --> Select the location where you have stored the certificate on your local system
  Load function is used as you have already got the certificate....
  Once this is done you will find an entry for your certificate in the Entries tab of your TrustedCAs section.
  This is your Keystore Entry...in other words it the name of your certificate.
  Keystore View:
  http://help.sap.com/saphelp_webas630/helpdata/en/16/c0503e1dac5b46e10000000a114084/content.htm
  Are you going to consume Logon tickets of the Third party system (which is other than SAP J2ee engine of your XI)? If yes, then you may also need to do some more settings in the J2ee Engine.
  Regards,
  Abhishek.

• CONFIGURING OS AUTHENTICATION(OPS$ ACCOUNT) ON NT

  제품 : ORACLE SERVER
  작성날짜 : 1997-11-27
  CONFIGURING OS AUTHENTICATION(OPS$ ACCOUNT) ON NT
  =================================================
  PURPOSE
  다음은 Windows NT나 Windows 95 client에서 Windows NT server에
  OS Authentication을 사용하는 방법에 대해 알아 본다.
  Explanation
  먼저, User Account는 Windows NT client와 Windows NT server에서 동일한
  이름을 필요로 한다.
  1. Oracle database가 있는 Windows NT server에 User Account를 생성한다.
  1) Window의 '시작' -> '프로그램' -> '관리 도구' -> '사용자 관리자'
  2) Menu의 '사용자' -> 'New User'
  3) Windows NT Client에서 사용할 Username과 Password를 생성한다.
  2. OPS$ Account를 생성한다.
  1) startup된 db에서 sqlplus나 sqldba로 connect하여 user를 다음과 같이
  생성한다.
  CREATE USER OPS$<name> IDENTIFIED EXTERNALLY;
  GRANT CONNECT TO OPS$<name>;
  2) User에 대해 quotas와 더불어 default tablespace,temporary tablespace
  를 지정할 경우는 다음과 같이 alter command로 setting한다.
  ALTER USER OPS$<name>
  DEFAULT TABLESPACE <tablespace1>
  TEMPORARY TABLESPACE <tablespace2>
  QUOTA 10M ON <tablespace1>
  QUOTA 10M on <tablespace2>;
  3) User생성에 대한 자세한 정보는 Server Administrator Guide를 참조한다.
  3. Oracle database가 있는 Windows NT server에 Directory를 공유한다.
  단, SQLNET Named Pipe를 사용한다면 Directory를 공유할 필요는 없다.
  공유 parameter box에 공유 이름을 지정하고, 사용자 최대한 허용한다.
  만약 사용자를 제한하고자 한다면 제한 버튼을 선택하여 지정한다.
  4. 새로운 OS Authentication Account를 test한다.
  단, SQL*NET 2.2 Named Pipe에 대해서는 아래의 1)단계를 할 필요 없음.
  1) 공유된 NT server를 Network Drive 연결한다.
  만약, 공유된 Directory를 선택하여 Password 확인하는 Message가 뜬다면
  Client에 Logging한 Password와 User Password가 다르므로 재확인한다.
  2) 마지막으로 Client에서 SQLPLUS를 실행하여 Database에 Logging 한다.
  즉, username, password 를 입력하지 않고 '/@SQLNET2_DB_ALIAS'로서
  OS Authentication Account connect를 사용하여 Database에 Connect할
  수 있다.
  Example
  Reference Document
  ------------------

  I can't think of a reason why transactions would affect this wait stat. I tried to repro your observations under SQL 2012 and SQL2014 without success.  Could there be other activity against the instance during the test, such as SQL Server Agent or SSRS
  background noise?  As far as TRUSTWORTHY is concerned, are the Are the databases owned by the same login?  Are the database owners Windows or SQL logins?  What version of SQL Server? 
  PREEMPTIVE_OS_AUTHENTICATION_OPS is one of those wait stats I don't pay much attention to unless I suspect a problem related to Windows authentication.  It is the times rather than the counts that are significant. 
  For example, I've seen high PREEMPTIVE_OS_AUTHENTICATION_OPS times as
  a symptom of authentication traffic inadvertently routed to a DC in another data center, resulting in long connection times.
  Dan Guzman, SQL Server MVP, http://www.dbdelta.com

• Fatal error: Client does not support authentication protocol requested by server; consider upgrading MySQL client

  Fatal error: Client does not support authentication protocol
  requested by server; consider upgrading MySQL client in
  /homepages/28/d74942468/htdocs/cosmic/sites/onlinemove/Connections/db.php
  on line 9
  This is the error that comes up on the server where the site
  sits. The database is working on my local machine with the local
  settings, but wont connect due to the above.
  I think im using MySQL client 3.23 How do i upgrade?
  I found this on MySQL site:
  http://dev.mysql.com/doc/refman/5.0/en/old-client.html
  I'm not sure how to edit the connection string to make it
  accept the vaules.

  The_FedEx_Guy wrote:
  > Fatal error: Client does not support authentication
  protocol requested by
  > server; consider upgrading MySQL client in
  >
  /homepages/28/d74942468/htdocs/cosmic/sites/onlinemove/Connections/db.php
  on
  > line 9
  > I think im using MySQL client 3.23 How do i upgrade?
  The MySQL client that the error refers to isn't the version
  of MySQL,
  but the MySQL library bundled with PHP. It sounds as though
  your hosting
  company has upgraded to MySQL 4.1 or higher, but is still
  using PHP 4.
  > I'm not sure how to edit the connection string to make
  it accept the vaules.
  You can't. It's the way that the user account passwords are
  stored in
  MySQL. You need to get the hosting company to upgrade to PHP
  5 or to
  reset the passwords in MySQL using the OLD_PASSWORD()
  function. This
  needs to be done by someone with top-level administrative
  privileges on
  the database.
  David Powers, Adobe Community Expert
  Author, "Foundation PHP for Dreamweaver 8" (friends of ED)
  Author, "PHP Solutions" (friends of ED)
  http://foundationphp.com/

• ORA-28040: No matching authentication protocol in version 11.2.0.3

  Hi,
  I am working on database server 11.2.0.3 and the OS is linux 86 bit. i created an entry in sqlnet.ora file with
  SQLNET.ALLOWED_LOGON_VERSION = 10
  it is failing with ORA-28040: No matching authentication protocol error and i am not able to connect as sys till I comment the entry. How do i set this entry and where in the client side do I need to set this entry? Also, do I have to set it to SQLNET.ALLOWED_LOGON_VERSION = 11 instead? I am confused. Please help
  thanks a lot.

  Hello;
  Any chance you are using a JDBC driver?
  Try changing it to : ( Workaround )
  SQLNET.ALLOWED_LOGON_VERSION=8
  OR = 9
  This is an old bug if I remember correctly.
  Bug 8730787
  Best Regards
  mseberg
  Added to mine, but I'm unable to recreate the error. Using Oracle 11 client.
  Found this
  Action:     Administrator should set SQLNET_ALLOWED_LOGON_VERSION parameter
       on both client and servers to values that matches the minimum
       version supported in the system.
  Edited by: mseberg on Feb 16, 2012 12:34 PM
  Edited by: mseberg on Feb 16, 2012 12:36 PM

• SOAP REC Adapter....Configure User Authentication

  Hi
  I have a Receiver Soap Adapter parmater called "Configure User Authentication". If I check this option again we have two fileds which are to be filled with "User" and "passowrd". These user and password are used as authentication to access webservice. My webservice team claims XI is not sending those credentials to webservice during request. How can I check whether XI is sending the user and password information to webservice during requesst ??
  Regards
  Kumar

  Hi Kumar,
  there is an option :Check OSS Note no 856597
  Download the tcpgw.zip ...extract...open the aiitcpgw.jar file..and follow as expalined in the blog
  /people/varadharajan.krishnasamy/blog/2007/01/09/troubleshooting-soap-message--xi
  you will get the xml payload and there you can check the username and password is passing into the webservice.
  Cheers,
  Sunil.

• Configure SAP authentication for BusinessObjects

  Hi,
  I am configuring SAP authentication for BusinessObjects. I created a user account for BusinessObjects Enterprise on SAP with Authorization object, field, Value as "BusinessObjects XI Integration for SAP Solution Installation Guide". After add an SAP entitlement system to BusinessObjects Enterprise, I checked that an entitlement system. It show "User CRYSTAL has no RFC authorization for function group SYST." with CRYSTAL is user of SAP.
  Please, help me!!!
  Thanks
  Duypm

  Hi,
  My CRYSTAL_ENTITLEMENT Role as below:
  CRYSTAL_ENTITLEMENT
  |
  |--Manually     Cross-application Authorization Objects
  |     |_Manually      Authoriaztion Check for RFC Access
  |       |_ Manually      Authorization Check for RFC Access
  |       |______Activity                    All activities
  |       |______Name of RFC to be protected          *
  |       |______Type of RFC objects to protected      All value     
  |     
  __Manually     Basic: Administration
  __Manually     Authorization for file acccess
  ___Manually      Authorization for file access
  __Activity                     Read, Write
  __Physical file name               *
  __Program Name with Search Help     *
  __Manually      User Master Maintenace: User Groups
  __manually      User Master Maintenance: User Groups
               |___Activity                Change, Display
               |___User group in user master main     *
  I login CRYSTAL user directly on your SAP BW server using SAPGUI. It is ok.I don't get any error messages there.
  My SAP entitlement system to BOE as below:
  System is: PTS
  Client: 100
  Application
      Application server: sap-vpmn (with sap-vpmn is hostname BO server)
     System number : 00 (this is value of central instance number)
     Username: crystal
     Password : pythis
  Thanks & Regards
  Duypm