J2EE_ADMIN user getting locked frequently

Similar Messages

• User in CTSDEPLOY RFC getting locked frequently

  Hello All,
  We have been observing that the user in RFC destination CTSDEPLOY getting locked frequently whenever we transport a rerquest from development to quality in our PI system. The transport would go fine, if we unlock that user. The user we are maintaining in CTSDEPLOY is J2EE_ADMIN. When we test the RFC in our quality system, it works fine. But only when we transport to quality, it is getting locked.
  Please help us resolving this. We dont have RFC destination with name CTSDEPLOY in our PI development system. Do we need to have RFC destination there too.
  Awaiting your inputs.
  Regards,
  Ram.

  Hi,
  >>>We dont have RFC destination with name CTSDEPLOY in our PI development system. Do we need to have RFC destination there too.
  no need for that in DEV
  does your RFC Destination for Java to ABAP Connectivity work in DEV ?
  destination -> sap.com/com.sap.tc.di.CTSserver under
  Configuration Management - Infrastructure - Destinations.
  Regards,
  Michal Krawczyk

• Impact of J2EE_ADMIN / Administrator user getting locked

  Hi,
  What is the impact of J2EE_ADMIN / Administrator user getting locked in abap / java engines?  Will it effect startup of java server processes or java applications?  What are the other implications?
  Thanks,
  Abdul

  Hi Abdul,
  if the J2EE_ADMIN or Administrator user is locked then
  1. you cannot login to Visual Admin unless you define some other user with same authorization.
  2. any Jco-RFC using this user won't work.
  3. if you don't have any other user, you will have to activate SAP* user to unlock this user.
  Thanks,
  Sandeep

• MII UserID gets locked frequently

  Hi
          I have created a MII user through which PI post messages to MII MesageListener. This user is getting locked frequently so PI fails to post the messages. Can anyone tell me why the userID gets locked frequently? I am using MII version 12.1.6
  Thanks in advance
  Shaji

  In cases that I have seen, it is usually some job folks forgot about that did not get the password updated when it changed.  A scheduled job is frequently the problem, but not always as I have seen message listener jobs which were causing the problems or even webpage invoked transactions.
  Good luck,
  Mike

• User account locking frequently

  Hi all,
  I have a application user account in my db. And this account is getting locked frequently.
  I checked dba_audit_session for invalid login attempts but nothing was there. Other users invalid login attempts was there in dba_audit_session.
  Is there anyway to trace this.
  Please help me in resolving this issue.
  Thanks in advance.
  Prem

  audit create session by appln whenever not successful;HTH
  Enrique
  PS. Check the value of the audit_trail parameter just to verify that audit is actually enabled. You can verify the connection attempts with:
  select * from dba_audit_trail where username = 'APPLN';Edited by: Enrique Orbegozo on Oct 16, 2008 9:05 AM

• User gets locked by an external system but which one?

  Hi,
  In an abap system, we have changed the password of our administration user. Afterwards, this user gets locked every 5 minutes, obviously because the user and old password has been used to set up communication from another system to the abap system. An RFC connection for instance or whatever. Sure it is possible to check all the systems you can think of to see if the user has been used for such a purpose. But how can you see in the system itself where the call comes from that locks it? I have tried the gateway tracefile but without success. Any suggestions?
  Regards,
  GK

  Hello,
  I would try transaction STAD.
  There you should find entries of type RFC with your user.
  If you double-click on the line, you get the details. Click on the RFC button.
                                as Client             as Server
  No. of targets                   0                     1
  Click on the highlighted 1 under "as server".
  You should get the needed info : the remote destination
  Target         TEST_DEV
  User ID        TESTOC
  RFC Caller     OCHRETIE
  Local  destin. bt1suk17v1_DEV_02                IP address xx.xx.xx.xx
  Remote destin. bt1suk16v1_DXI_68                IP address yy.yy.yy.yy
  Hope this helps
  Olivier

• User gets locked in lesser attempts than security policy setting

  Hi
  I have written my customized login code to login a user to the
  portal and I user the following code:
  IUser myUser = UMFactory.getUserFactory().getUserByLogonAlias(username, null);
  IUserAccountFactory accountFactory = UMFactory.getUserAccountFactory();
  IUserAccount account = accountFactory.getUserAccountByLogonId(myUser.getUniqueName());
  ILogonAuthentication ILA = UMFactory.getLogonAuthenticator();
  req.setAttribute(JUSER,myUser.getUniqueName());
  req.setAttribute(JPASSWORD,password);
  ILA.logon(req,res,AUTHSCHDEFAULT);     
  I notice that whenever I try to logon using my code with a
  wrong password, the user gets locked in 3 attemps even though the security policy
  (at ABAP and in Portal UME Configuration) setting for number of failed attempts is set to 5.
  (Although, please note that my code works fine logging the
  user into the portal when he enters the correct password)
  I try to check if the same thing happens with the standard logon module - com.sap.portals.runtime.logon,
  and notice that it locks correctly after 5 attempts.
  Would I have to add anything else in my code to make it work
  correctly?
  Thanks
  oj

  Hi All
  I tried to check in the CUA table the incorrect logon attempts value, and noticed that for every time I login (using my above code) with the wrong password, it increments the count by 2!! And that's the reason it gets locked out by the third time.
  What am I doing wrong?
  Thanks
  OJ

• SAP BW User getting locked by BO RFC calls

  Hi,
  we are encountering a problem with BO RFC calls locking SAP BW users that recently changed their password in BW.
  Description of the problem in the ticket we raised at the SAP support:
  SAP BO 4.1 SP2 Patch 4, linux installation
  Backend: SAP BW 7.01 EHP8
  BICS interface with SAP authentication
  One of our users gets locked again and again in SAP BW (P19). The cause is a RFC connection that the BusinessObjects server (P59) tries to establish. The user used SAP BO last Friday for the last time and had to change his password in P19 this Tuesday. We think that there is some
  process within SAP BO still trying to connect to SAP BW from time to time, using the old password. There is no open session visible for that user in the CMC. User is even getting locked when not in the office and during night time. RFC calls are established almost regualary every hour.
  We already had this behaviour in our test-system. Restarting the BO-Server solved it. However, this is not the solution we want to use
  in the productive environment. There has to be some way to kill the process that uses the old password on the BO server without restarting
  the whole server. We do not understand why BO would still try to connect to BW with the old password - this has to be some kind of a bug.
  Meanwhile the error disappeared for the first user (some days after it started, maybe the BO process ran into a timeout). However, other users started having the same behaviour after changing their password.
  Our basis team tried to check the log files for advanced information on the conversations between BO and BW, but did not find any hints on which BO process might try to establish the connections.
  The SAP support seems to be a little helpless at the moment...
  Has anyone had similar problems?
  Regards,
  Robert

  Hi again,
  additional information: after approximately one week after the error appeared for the first time BO stops trying to establish the rfc connection for this specific user. Almost as if the "old-password-BO-process" ran into a 1 week timeout or something like that.
  The problem is really strange. The SAP support is still not able to tell us how the gather the information they require.
  Regards,
  Robert

• The user id "sa" is getting locked frequently in SQL server 2008 R2

  Hi Team, 
  We have SQL server 2008 R2 machine and recently i'm getting issue with the user id "sa" as its getting locked out. I;m not sure with the reason caused with this. I need to login to the SQLserver with windows authentication and manually unlock
  the "sa" account and its happening frequently.
  Let me know how to fix this?
  Regards,
  Guru 

  Might be the SA account either using by any application team or any job have been configured to use it, since you are saying that its getting locked out then it someone or application or apps jobs performing with Mulitple incorrect login attempts with incorrect
  password try(since if check_expiration enabled it it can lockout based on the windows password policy, so you can check in the SQL errorlog when was the last login succeeded and from when the incorrect attempts tried & finally it gets locked out(so here
  you will have from which host it was trying)).
  So talk to the application team, did anyone recently changed the SA password or some one misusing or configured to any applications .
  If nothing works then perform the  SQL server side trace to track it or trigger can help
  Thanks, Rama Udaya.K (http://rama38udaya.wordpress.com) ---------------------------------------- Please remember to mark the replies as answers if they help and UN-mark them if they provide no help,Vote if they gives you information.

• User Account getting locked frequently...

  An User account which the developers are using is getting locked very frequently when they run some applications. They say they are giving the right password and username within the application. What should one be looking for? I am fed up by unlocking the account using ALTER USER username ACCOUNT UNLOCK;

  I have also faced such kind of problems. Most of the developers forget how the application connects. they might have hard coded it or some time using a wrong parameter files.
  Need to check who are all the users and how they are connecting and how the application is connecting to the database.
  If there are more users then enable audit. Auditing will be the only solution.

• Oracle user account is getting locked frequently

  Hi everyone!!!
  I am using Oracle 11g on Linux . I have user named "XXX" to whom I have assigned a DEFAULT profile. The Password parameters in DEFAULT profile are as follow.
  Resource Name                                      Resource                                 Limit
  FAILED_LOGIN_ATTEMPTS                    PASSWORD                            20
  PASSWORD_LIFE_TIME                        PASSWORD                            UNLIMITED
  PASSWORD_LOCK_TIME                      PASSWORD                           UNLIMITED
  PASSWORD_REUSE_TIME                   PASSWORD                            UNLIMITED
  PASSWORD_REUSE_MAX                   PASSWORD                             UNLIMITED
  I don't know why my user is getting locked continuously. Even i haven't reached Failed_login_attempts (20). Each time I require to unlock user account as SYS user and then I can connect as XXX user.
  And another thing that I want to know is when user account's status is set to LOCKED, EXPIRED, EXPIRED & LOCKED and LOCKED(TIME).
  Thanks & Regards
  Tushar Lapani

  Hi,
  can you tell me the exact db version?
  As explained in MOS notes:
  DBA_USERS.ACCOUNT_STATUS shows LOCKED after FAILED_LOGIN_ATTEMPTS Is Breached (Doc ID 284344.1)
  How to Interpret the ACCOUNT_STATUS Column in DBA_USERS (Doc ID 260111.1)
  Expected behaviour is:
  1. Oracle release is <= 11.1.0.7.
  DBA_USERS.ACCOUNT_STATUS = LOCKED(TIMED) whenever the number of failed login attempts is > FAILED_LOGIN_ATTEMPTS
  2. Oracle release is >= 11.2 and PASSWORD_LOCK_TIME = unlimited:
  DBA_USERS.ACCOUNT_STATUS = LOCKED whenever the number of failed login attempts is > FAILED_LOGIN_ATTEMPTS
  3. Oracle release is >= 11.2 and PASSWORD_LOCK_TIME = <some fix value>
  DBA_USERS.ACCOUNT_STATUS = LOCKED(TIMED) whenever the number of failed login attempts is > FAILED_LOGIN_ATTEMPTS
  Note
  that 10.2.0.5 displays the same behavior as 11.2, because the fix that  changed the behavior in 11.2 was introduced in 10.2.0.5.
  So I suggest you to follow MOS note
  Finding the source of failed login attempts. (Doc ID 352389.1)
  to find who locked the account.
  Ombretta

• J2ee_admin keeps getting locked

  Hi,
  I changed the j2ee_admin password in both the secure storage of Java AS and in ABAP. Our SLD connection also seemed to use the j2ee_admin user in tx SLDAPICUST which I also changed but still it gets locked each time! SAPJSF user reports the locked j2ee_admin account in the syslog after awhile when unlocking it.
  Where else could j2ee_admin be possibly being used where I still need to change the password ? ..or any other log files on Java AS that could tell me of errors or give me more info ?
  Thanks!
  Regards,
  Nelis
  Sorry, not sure if this is the right place to post this question.

  Hello Neil,
  When you log into R/3 and go to transaction SU01 does the j2ee_admin user show up "locked"?    In addition to changing the password did you remember to unlock the user.  Also, you might try changing the user type from dialog to system in su01.  If you have a security policy that requires the password to be changed at first logon or after a period of time, this could cause the logon failures.  Changing the user type to system or communication type will avoid the forced password changes for j2ee_admin.
  If the issue continues to occur you should check the ./cluster/server#/log/defaultTrace.#.trc for exceptions regarding the j2ee_admin user.  Another useful log is the ./cluster/server#/log/system/security.#.log which will show details more specific to the security provider.
  Regards,
  Nathan

• User getting locked while sending message sync via BPM. Please help

  Hi Experts,
     I have a sync - sync scenario where I am sending data synchronously from webservice to a sync RFC FM. I am using BPM and in BPM I have three steps
  1. Receive step - Opens Sync-Async Bridge
  2. Sync Send step
  3. Send step - Closes SYnc-Async bridge.
  This BPM solution is same as that give in the blog https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/1403 [original link is broken] [original link is broken] [original link is broken]
  When I test this scenario I am getting
  <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="1">
  <SAP:Category>XIServer</SAP:Category>
  <SAP:Code area="INTERNAL">PL_TIMEOUT</SAP:Code>
  <SAP:P1 />
  <SAP:P2 />
  <SAP:P3 />
  <SAP:P4 />
  <SAP:AdditionalText />
  <SAP:ApplicationFaultMessage namespace="" />
  <SAP:Stack>Timeout condition of pipeline reached</SAP:Stack>
  <SAP:Retry>N</SAP:Retry>
  </SAP:Error>
  When I check the "Status monitor for Sync/Async communication" via SXMB_MONI, I found that my message is listed there with BPE status = "Wait".
  On double clicking my message I found that there is an error " User is locked. Please notify the person responsible".
  Why is my BPE struck in "Wait" stage and user is locked?
  What am I doing wrong? Am I missing any settings in SOAP sender communication channel?
  Please help me in resolving this problem.
  Regards
  Gopal

  Hi,
  Few months ago we had also problems with "locked user" in XI, in our case XIAPPLUSER was sometimes (b)locked.
  Perhaps note:
  721548 Changing the passwords of the XI 3.0 service users
  will help you.
  We removed and entered the service users again, with the password in CAPITALS and language blank.
  After that our problem was solved, I hope yours too.
  Regards
  Jack

• CUA SU10 issue with users getting locked

  I did some role change using SU10 on CUA central system for 200 users. 45 of the users got locked with global admin lock in the child system for which I made the role changes.  These user locks are shown in the child system change documents log as changes by the CUA RFC user. I have this problem everytime I use su10. Why does this happen?  What can I do about it? Thanks, KT

  Hi Todd,
  propably you have some inconsistencies in your landscape....
  the cause of such 'unwanted' effects is the fact that if you change a user in your CUA central system, the whole user information is picked, then edited with you changes and afterwards distributed to all child systems.
  So what I could imagine in your example is as follows:
  User has a global lock in central system already, the particular child system did not have that information (user is still unlocked there). Several causes are possible, for instance the lock idoc did not get processed, Child system was not available/connected to CUA when the lock had been set,......).
  At the next update of that user (assign a role), the lock information from the central system is pushed to that child.
  Why?
  Because the design is to assure data consistency between central and child system. Therefore all the user information from central system is pushed to child at any user change. (that is also why you will see in SCUL 3 idocs for each user change (also user and profile idocs are pushed, even if you have changed the role assignement only).
  So what you could check is, if that users got the lock flag (128) already in the past somewhen.
  b.rgds, Bernhard

• SLD User gets locked; four unsuccessful logons every 15 minutes

  I have a landscape with a PI with the SLD on it. I defined a user with the name SLDUSER and the appropriate authorizations. The PI is a Unicode system, like all systems in the landscape.
  There were already some application servers (CRM, Banking Services, Composition Environment) connecting to this SLD and everything went fine.
  Now I added another application server, an ERP, for FI-CAx (NW 7.02). As the business partners are distributed via XI through the PI system, the ERP needs to connect to the SLD, too.
  I set it up as usual:
  - sldapicust: host, port, SLDUSER, password. (What is weird is that there is no test button as in all the other systems ... maybe that depends on the installed EhPs.)
  - This generated the destinations (type T = TCP/IP) SLD_UC and SLD_NUC automatically.
  - I created destinations SAPSLDAPI and LCRSAPRFC manually in sm59, type T = TCP/IP, set them to Unicode, entered the same (two different) Registered Server Programs that are used in these destinations on all the other servers (CRM, PI, BaS).
  - I ran rz70, entered the host and gateway, activated, executed the data collection.
  SLDCHECK runs successfully on the ERP system!
  The technical system for the BS1 showed up in the SLD as expected.
  - I configured the clients / business systems on the SLD.
  Now begins the problem. The SLDUSER is now getting locked all the time! It's definitely the ERP system causing it - when I prevent it from accessing the PI (by changing the hosts file on the operating system), the problem stops.
  I activated everything critical related to logons and RFCs in sm19 and looked at the logs in sm20. This is what it looks like:
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Password check failed for user SLDUSER in client 001
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 1, Type = U)
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Password check failed for user SLDUSER in client 001
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 1, Type = U)
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Password check failed for user SLDUSER in client 001
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 1, Type = U)
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Password check failed for user SLDUSER in client 001
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 1, Type = U)
  17.08.2011     19:55:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Password check failed for user SLDUSER in client 001
  17.08.2011     19:55:04     BNK_RFC     ilbnkpi1          SAPMSSY1     User SLDUSER Locked in Client 001 After Erroneous Password Checks
  17.08.2011     19:55:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 1, Type = U)
  17.08.2011     19:55:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 53, Type = U)
  17.08.2011     19:55:05     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 53, Type = U)
  17.08.2011     19:55:05     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 53, Type = U)
  And it goes on like this. So what happens is this: Every 15 minutes, at :10, :25, :40, :55, there are four unsuccessful logons with SLDUSER. With the fifth logon it gets locked.
  Again:
  - This stops when I make the PI inaccessible to the ERP.
  - SLDCHECK still works completely fine in ERP - until the SLDUSER is locked, of course; then it stops working in all connected systems. It does not result in unsuccessful logons on the PI.
  - When I run rz70 on the ERP and run the data collection this also reports success and does not create unsuccessful logons on the PI.
  - I have not used the SLDUSER in any other locations besides sldapicust.
  So what the hell is wrong with this system?!

  I have created a separate user SLDUSER_ER1 just for use in the sldapicust in the new ERP system that causes the problem. Still SLDUSER is getting locked (not SLDUSER_ER1)!
  I powered down this ERP system ER1, just to make absolutely sure it is causing the problem - indeed the unsuccessful logon attempts every 15 minutes stopped right away.
  As a workaround and for narrowing down the problem I have created separate users SLDUSER_CR1 etc. for each of the other systems in the landscape (CRM and so on) - indeed those do not get any unsuccessful logon attempts.
  I have deleted all four SLD-related destinations in ER1 and recreated them from scratch (SLD_NUC and SLD_UC being generated when running rz70). I also used the "delete all batch jobs" button in rz70.
  Still, SLDUSER is getting locked.
  I checked on the PI system in C:\usr\sap\PI1\DVEBMGS00\j2ee\cluster\server0\log\system\httpaccess\responses_00.0.trc and see it is indeed the IP of the ERP system that gets the error 401 exactly at the times when the unsuccessful logon attempts occur:
  [Oct 2, 2011 2:46:06 PM   ] - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 [140]
  [Oct 2, 2011 2:46:06 PM   ] - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 [79]
  [Oct 2, 2011 2:46:06 PM   ] - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 [62]
  [Oct 2, 2011 2:46:06 PM   ] - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 [47]
  As the ERP has no Java instance and the sldapicust does not contain the SLDUSER (but the new SLDUSER_ER1) it is a mystery to me what it is that is still running every 15 minutes in the ERP and tries to use SLDUSER.
  I went through the entries in SECSTORE and could not find any use of SLDUSER (only of SLDUSER_ER1, as it should be).
  Edited by: Monika Eggers on Oct 2, 2011 3:08 PM