Principal Propagation - User on each system

Hi,
I have a scenario:
WS consumer: JAVA -> PI 7.11 -> provider ERP (ABAP Proxy; ver. 700) where I have to use logon tickets.
If I am to use SOAP adapters do I have to propagate user on SAP PI?
If so, does the user (the same on 3 environments) on SAP PI has to have the same password on SAP PI as on cosumer and provider systems? 
Could you please give me any input/best practice on the scenario?
Thanks!

Hi ,
I don't know much about PP, but was going through the [guide|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/808d3048-638c-2a10-35a6-faa48e50ad59?quicklink=index&overridelayout=true]
which specifies that this model has weakness with respect to user credentials.(page4).
When application users are propagated to the IS (ABAP proxies only), each application user must be maintained with the corresponding execution
rights in the IS.
I think  you might have  already referred this:)
Regards,
Srinivas

Similar Messages

  • Principal Propagation: User needs to be defined in PI???

    Hi All,
    We have a major SRM implementation using Principal Propagation(PP) for most of the interfaces. We are currently in design state. One of the things that were brought to my attention was that the user to be propagated from Sender needs to be maintained in both PI and Receiver System. As we have about 35000 users(Suppliers/internal Employees) that will be using the SRM funtionality. Does that mean i have to maintain all 35,000 users in PI also???
    Is there any other way that we can implement PP without creating these users in PI??? but create these in Receiver and Sender system only.
    Regards,
    XIer

    Hi ,
    I don't know much about PP, but was going through the [guide|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/808d3048-638c-2a10-35a6-faa48e50ad59?quicklink=index&overridelayout=true]
    which specifies that this model has weakness with respect to user credentials.(page4).
    When application users are propagated to the IS (ABAP proxies only), each application user must be maintained with the corresponding execution
    rights in the IS.
    I think  you might have  already referred this:)
    Regards,
    Srinivas

  • SSO and Principal Propagation in SUP

    Hi all,
    I am wondering how SSO and Principal Propagation work in SUP.
    Ideally, users should be able to logon on their device application and the same user/pwd should be used to perform backend SAP invocations.
    I have seen that personalization keys exists which can store users/passwords to use later in backend invocations.
    However:
    how can I perform login if my device is offline?
    is the password used for login from device the same as the SAP system's?
    do SUP and SAP have to share the same user engine (i.e. LDAP)?
    Any help or pointers to best practices/manuals are really appreciated
    Thanks, regards
    Vincenzo

    Hi
    how can I perform login if my device is offline?
    Once the device logs into the SUP once every-time thereafter the client app doesn't perform an online authentication.
    The credentials are stored on the device securely and authenticated with the user supplied credentials. When the device is online it will perform the online authentication.
    is the password used for login from device the same as the SAP system's?
    You can have the same credentials on both the systems. The SAP connectivity credentials are however stored in SUP.
    do SUP and SAP have to share the same user engine (i.e. LDAP)?
    Yes currently SUP for development purposes has the openDS ldap service. but in  production we can use the LDAP provider of your company.
    Thanks

  • Avoid principal propagation in RFC_to_File scenario?

    Hi!
    I am facing with the following error in sxmb_moni by retrieving the message from business system A.
    Errror in part Call adapter
    System_Error: Error exception retnr from pipeline processing
    name = "CL_XMS_MAIN_WRITE_MESSAGE_TO_PERSIST"
    I also detected the following additional error text:
    <SAP:AdditionalText>com.sap.aii.af.ra.ms.api.ConfigException: Unauthorized: J2EE AE rejected user. Reason: Principal propagation is not active, but technical IS service user was not used (J2EE_ADMIN).</SAP:AdditionalText>
    <SAP:ApplicationFaultMessage namespace="" /
    The error tell me that the principal propagation is missing.
    Unfortunately I cannot activate principal propagation on Sender system due to ABAP dump error.
    Question:
    Are there some alternative solutions without activating principal propagation?
    If yes hwo can these be realize?
    For example: is it possible to send messages as technical IS server user such as j2ee_admin from sender system without activating principal propagation?
    Any helpful information will be very appreciated.
    Thank you!
    Holger

    HI Holger
    Looking at the error we can see its authorization issue. You can try using user like PISUPER to create and use principal propagation
    Moreover other than this you have to go through normal RFC -> XI -> File procedure where you have different user involved at different services. No other choice
    Thanks
    Gaurav

  • SOAP to SOAP principal propagation with logon tickets

    I have configured a scenario using soap sender to soap receiver with an integrated configuration on PI 7.1. It is synchronous CE 7.11<->PI 7.10<->ECC 6.0. The scenario works with basic authentication. If I enable principal propagation on the sender side it still works fine. Now I have activated principal propagation on the receiver side and I get the following error in the message audit log:
    <p/>
    <pre>
    2010-05-07 09:01:50 Information MP: entering1
    2010-05-07 09:01:50 Information MP: processing local module localejbs/sap.com/com.sap.aii.af.soapadapter/XISOAPAdapterBean
    2010-05-07 09:01:50 <b>Information SOAP: request message entering the adapter with user DAMZOG.JOCHE </b>
    2010-05-07 09:01:50 Information SOAP: request message leaving the adapter (call)
    2010-05-07 09:01:50 Information The application tries to send an XI message synchronously using connection SOAP_http://sap.com/xi/XI/System.
    2010-05-07 09:01:50 Information Trying to put the message into the call queue.
    2010-05-07 09:01:50 Information Message successfully put into the queue.
    2010-05-07 09:01:50 Information The message was successfully retrieved from the call queue.
    2010-05-07 09:01:50 Information The message status was set to DLNG.
    2010-05-07 09:01:50 Information Delivering to channel: SOAP_MRByID_In5_R
    2010-05-07 09:01:50 <b>Information SOAP: request message entering the adapter with user J2EE_GUEST</b>
    2010-05-07 09:01:50 Fehler SOAP: call failed: java.io.IOException: unable to get URLConnection: com.sap.security.core.server.destinations.api.ConfigurationException: [destination_0004] Unable to create URLConnection:No logged in user found.
    2010-05-07 09:01:50 Fehler SOAP: error occured: com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.io.IOException: unable to get URLConnection: com.sap.security.core.server.destinations.api.ConfigurationException: [destination_0004] Unable to create URLConnection:No logged in user found.
    2010-05-07 09:01:50 Fehler Adapter Framework caught exception: java.io.IOException: unable to get URLConnection: com.sap.security.core.server.destinations.api.ConfigurationException: [destination_0004] Unable to create URLConnection:No logged in user found.
    2010-05-07 09:01:50 Fehler The message was successfully transmitted to endpoint com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.io.IOException: unable to get URLConnection: com.sap.security.core.server.destinations.api.ConfigurationException: [destination_0004] Unable to create URLConnection:No logged in user found. using connection SOAP_http://sap.com/xi/XI/System.
    2010-05-07 09:01:50 Fehler The message status was set to FAIL.
    </pre>
    <p/>
    Any ideas what could be wrong?
    Edited by: Jochen Damzog on May 7, 2010 9:02 AM
    Edited by: Jochen Damzog on May 7, 2010 9:06 AM
    Edited by: Jochen Damzog on May 7, 2010 9:22 AM

    The problem was due to the channels being not in the most recent state. A simple restart of the soap sender channel did the job.

  • RFC Adapter Receiver - change SAP User for each call

    Hi guys,
    I need to create one connection between PI and SAP, all right, i can use RFC Adapter Receiver, no problem.
    But, for each call i need to use User and Password different, then, I would pass SAP User and Password in my XML Payload.
    Can anybody help me, please?

    hi,
    >>But, for each call i need to use User and Password different, then, I would pass SAP User and Password in my XML Payload.
    sure we can help you but no in this way:)
    it is possible to change the user for RFC adapter but using
    principal propagation:
    /people/alexander.bundschuh/blog/2007/01/16/principal-propagation-in-sap-xi
    this is the way you need to go and not send password in XML payload
    (this is certainly not the way and no client will approve it)
    why use a password is anyone can see it ?
    Regards,
    Michal Krawczyk

  • Principal Propagation SOAP - XI - RFC Scenario

    Hi,
    I am developing a synchronous scenario whereby a SOAP request posted by a non SAP system should be forwarded to an ECC system using RFC. Challenge I am facing is that I want to use the user, which was used for basic user authentification to post to XI, dynamically in the RFC call. I have been reading about Principal Propagation using assertion tickets, however only SOAP receiver adapter is spoken about. I am trying to configure this using SOAP Sender adapter.
    As far as my understanding goes the sending system should be able to create these assertion tickets ?
    Has anyone developed a similar interface ?
    Scenario is: Non SAP SOAP Sending system = Client, Adapter engine = Server & Client, Integration Server = Server & client and Receiving ABAP system (ECC6.0) is Server.
    Any help would be appreciated and awarded if helpfull.
    Kind Regards, Jelmer Keuken
    Ps. XI is version 7.0 SP18, Alreay read the Blogs of Alexander Bundschuh
    Edited by: J. Keuken on Sep 9, 2009 4:04 PM

    Hi,
    This scenario is definately possible to implement with principal propagation.
    1. Enable the PP on Integration server
    2. Here you need not have to do anything on SOAP sender side to create the assertion ticket..
    The assertion ticket is required on SAP side which will act as Web AS ABAP Server.
    refer the settings --http://help.sap.com/saphelp_nw04/helpdata/en/61/42897de269cf44b35f9395978cc9cb/frameset.htm
    3. And then follow further steps as it mentioned the blogs...
    Thanks
    Swarup

  • Principal propagation

    hi, all.
    i have scenario:
    HTTP <-> XI <-> SAP.
    between HTTP and XI i use http adapter. between XI and SAP i use proxy. i have to propagate useres from HTTP system to SAP system.
    Can I create all needed users in XI, and connect from HTTP to XI using any of this user, but for connecting from XI to SAP can I use principal propagation?

    Hi Mikhail
    <b>refre this Blog for to get details about principal propagation</b>
    <b>Principal Propagation with SAP NetWeaver Process Integration 7.1</b>
    /people/alexander.bundschuh/blog/2007/08/06/principal-propagation-with-sap-netweaver-process-integration-71
    <b>Principal Propagation in SAP XI</b>
    /people/alexander.bundschuh/blog/2007/01/16/principal-propagation-in-sap-xi
    Thanks!!
    Regards
    Abhishek Agrahari

  • Principal Propagation Issue

    Hi,
    We are using PI 7.1 and have a SOAP - XI - ECC(RFC) scenario where we need to use Principal Propagation in order to send the user parameters who has invoked the webservice (using SOAP Adapter) on XI and the same user needs to be propagated to ECC system via RFC call.
    We did all the settings as per the guidelines setup in P.P guide. The issue here is once we enable Single Signon (P.P) on our XI server the local service user created in XI, which is given to Source system for invoking WS on XI stops working.
    In other words we have some other systems also which are sending webservice request to XI but with local service userid/pwd we have provided to them as they do not support Single Sign On. This stops working once we enable Single Sign On in XI. Does it mean at one time only one thing will work, either Service user/pwd or Single sign on user?
    Is there any alternate way of achieving the same? Has anyone used P.P feature? It does not seem to be working at Adapter Level.
    Thanks
    amit

    Dear Amit,
    Either of the one will work either SSO user or Service user . You cant have both working simultaneously. Because your SSO user is nothing but where one system logs on to another system using the user & pwd maintained on host system.
    The way out is to separate SSO user and Service users.
    Also refer https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/bc72b890-0201-0010-3a8d-e31e3e266893
    Rgds
    joel
    Edited by: joel trinidade on Mar 4, 2009 10:30 AM

  • Principal Propagation Issue - J2EE_GUEST being used in some messages

    Hi guys !
            I have the following situation, my customer have a SAP PI 7.1 Ehp 1 and, some interfaces are configured to run under Principal Propagation.
            What is occurring is, for an interface that uses principal propagation and works correctly, the message enters in PI using an authenticated user for principal propagation(for example, USER0001) and this authentication is propagated until the receiver system(eg, SAP ECC), but in some cases, this same interface shows the following behavior: the authenticated user USER0001 send a message, the message starts to be processed in the PI pipeline propagating this user but, when the message will be delivered to RFC Adapter, we receive the following error:
    Adapter Framework caught exception: failed to generate ClientPoolcom.sap.aii.adapter.rfc.RfcAdapterException: error initializing RfcClientPool:com.sap.aii.adapter.rfc.afcommunication.RfcAFWException: could not create JCO Pool com.sap.aii.adapter.rfc.afcommunication.RfcAFWException: could not get JCOProperties com.sap.security.core.server.destinations.api.DestinationException: [_DestinationServiceAuthorization1004] User-based destination service access denied to principal J2EE_GUEST. Assign the UME action Destination_Service_Write_Permission if the user should have the permission to save, update or remove destinations. The action is available already to the Administrator role.
          And after one message stop with the error above, any message of any interface using principal propagation starts to show the following error, that is only solved running a full cache refresh:
    Delivering the message to the application using connection RFC_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: com.sap.aii.adapter.rfc.afcommunication.RfcAFWException: error while processing message to remote system:com.sap.aii.adapter.rfc.core.client.RfcClientException: could not get functiontemplate from repository: com.sap.mw.jco.JCO$Exception: (106) JCO_ERROR_RESOURCE: Repository pool 'RfcRepository[RfcClient[RFCReceiverAutoCommit_ECC]]f0264787314535c0a27cf29d108f5860' does not exist or was removed..
          The question is, why do PI pipeline is trying to use J2EE_GUEST in some task for an interface configured to use Principal Propagation ? Why this occurs in some cases and not in anothers(for the same interface) ? Why the cache is being lost ?? And of course, how can I solve this annoyng situation ?
          All configurations needed to run Principal Propagation was done according the help.sap.com documentation(http://help.sap.com/saphelp_nwpi711/helpdata/en/48/a9bbb97e28674be10000000a421937/content.htm), and as I said, it works in most cases. All messages are sent using SOAP Adapter for the Sender System, and RFC Adapter for the receiver, and there are synchronous and asynchronous interfaces. Basically the interfaces that only read data from SAP, does not use principal propagation and, the ones that create/update/delete data in SAP, uses principal propagation.
          Somebody already saw something like this ?
          Thank you in advance, and best regards,
          Wilson

    Hi guys !
    I have continued with some tests in environment trying to understand what
    is happening and, I did the following, as the first error mentioned is
    "User-based destination service
    access denied to principal J2EE_GUEST. Assign the UME action
    Destination_Service_Write_Permission if the user should have the
    permission to save, update or remove destinations", I entered on UME Admin,
    created a new Role named J2EE_GUEST_ROLE, assigned the UME Action
    Destination_Service_Write_Permission to it, and assigned this new role to
    the user J2EE_GUEST, and ran new tests.
    After some executions, one message stopped with this error:
    Adapter Framework caught exception: error while processing message to
    remote system:com.sap.aii.adapter.rfc.core.client.RfcClientException:
    could not get a client from JCO.Pool: com.sap.mw.jco.JCO$Exception: (101)
    RFC_ERROR_PROGRAM: 'user' missing
    I have observed that, in all messages that stops in error, we have the
    following line in Audit Log:
    Processing child message of multi-message with message Id
    000c2936-6a89-1ed0-aebe-c262ae7d412e.
    And this interface doesn´t have multi-message to be processed, is a
    single message only.
    I checked on configuration and see that the interface determinations for all interfaces has the flag "Maintain order at runtime", what is usefull basically when a Interface Determination has more than one interface,
    what is not my case, so I will unmark this flag in all interfaces and run
    new tests trying to identify if this solves the problem.
    Any idea for this annoyng issue ?
    Thank you and regards !

  • Principal propagation question

    Hi All,
    We currently have a synchronous scenario:  SOAP -> PI 7.0 -> ABAP Proxy
    We now have a requirement that for the above scenario, the sender system (which does not
    know the password of its logged in user, only the userid), does its SOAP call to PI and PI
    invokes the ABAP Proxy system with the credentials of the user in the sender system.
    Can we use principal propagation for this?  Please correct me if I'm wrong but I see an issue
    with the sender system not knowing the password of its logged in user and therefore issuing
    a SOAP call to PI for that user.  Wouldn't authentication to PI fail without a userid/password
    via SOAP?
    Also, we are moving to PI 7.1.  If I am correct with the above statement, is there a way to
    achieve this requirement perhaps with the WS/SAML new feature?  Aologies but I have read
    countless documents on sdn on principal propagation and the new WS/SAML feature and I'm
    still not sure if it will do what I require.
    Any suggestions as to how I could achieve the scenario would be greatly appreciated.
    Regards,
    JM

    I see an issue with the sender system not knowing the password of its logged in user
    For using Principal Propagation, the user must be created at sender as well as receiver system.
    Does enabling principal propagation mean no passwords are needed to issue a SOAP call to PI and onward to the ABAP proxy?
    Incorrect. It just means that same user would be propagated to all the communicating systems using something called as Assertion Ticket.
    While using Assertion tickets to communicate, a trust relationship is established between various systems. For this an SAP client is associated and in the keystore the certificate should be imported for digital signature. So the authentication is certificate based.
    Regards,
    Prateek

  • Propagating user credentials to Web Services in WebLogic 6.1

    Hi All,
    Does anybody provide me some information about propagating client
    credentials to the Web Service. Agree with documentation I have tried as in
    code below, but it doesn't work. On a server i still have a guest user.
    Thanks in advance for any help.
    Properties h = new Properties();
    h.put(Context.INITIAL_CONTEXT_FACTORY,
    "weblogic.soap.http.SoapInitialContextFactory");
    h.put("weblogic.soap.wsdl.interface",
    RaServices.class.getName() );
    h.put(Context.SECURITY_AUTHENTICATION,"simple");
    h.put(Context.SECURITY_PRINCIPAL,"user");
    h.put(Context.SECURITY_CREDENTIALS,"password");
    Context context = new InitialContext(h);

    Hi Jerzy,
    Were you actually able to achieve what you wanted? I'm not exactly sure, because
    you said "it began to work", but you also said I "wasted much of your time". If
    you still are not satisfied, I'm sure the folks in our tech support area can help
    you.
    Regards,
    Mike Wooten
    "Jerzy Nawrot" <[email protected]> wrote:
    Hi Mike,
    Thank you for comprehensive explanation how to resolve my problem. I
    have
    done all work exactly
    as you wrote and then it began to work, both for static and dynamic
    client.
    As is written in WebLogic documentation
    I only restricted access to the stateless session bean that implements
    my
    Web Service, not the SOAP servlet.
    It seams that in this case user credentials are not propagated from servlet
    to ejb.
    Thanks once again you wasted much time for me.
    Regards ,
    Jerzy Nawrot
    "Michael Wooten" <[email protected]> wrote in message
    news:[email protected]...
    Hi Jerzy,
    This does indeed work, because I just verified it. Let's go througheverything
    to make sure you have all the pieces.
    1. You need client code that looks something like
    proxy.setUserName(userName);
    proxy.setPassword(password);
    where "userName" has been assigned the value of the user and "password"is
    a clear-text
    representation of their password.
    2. You need to use the Admin console to add the user to the system.I add
    mlwooten
    as a user, and employees as a group. Then I put mlwooten in the employeesgroup.
    3. The web.xml file for your web service should contain lines similarto
    this:
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>PhoneBookService</web-resource-name>
    <url-pattern>/examples/webservices/security/PhoneBookService</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>AuthorizedUsers</role-name>
    </auth-constraint>
    <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
    <login-config>
    <auth-method>BASIC</auth-method>
    </login-config>
    <security-role>
    <role-name>AuthorizedUsers</role-name>
    </security-role>
    4. The weblogic.xml for your web service should look something like:
    <weblogic-web-app>
    <security-role-assignment>
    <role-name>AuthorizedUsers</role-name>
    <principal-name>employees</principal-name>
    </security-role-assignment>
    <reference-descriptor>
    <ejb-reference-description>
    <ejb-ref-name>examples.webservices.security.PhoneBookService</ejb-ref-name>
    <jndi-name>examples.webservices.security.PhoneBookService</jndi-name>
    </ejb-reference-description>
    </reference-descriptor>
    </weblogic-web-app>
    6. That's all I did to get it to work.
    NOTE: wsgen does not add the stuff in 4 and 5, above. You must addit
    manually.
    Regards,
    Mike Wooten
    "Jerzy Nawrot" <[email protected]> wrote:
    Hi Michael,
    Thanks for your advice.
    The way you have proposed I've tested earlier and unfortunately this
    method
    does'nt work properly too.
    It seams that session bean used as a Web Service knows nothing about
    user
    credentials passed from a client aplication.
    Maybe, there is a bug in servlet
    weblogic.soap.server.servlet.StatelessBeanAdapter wchich does'nt
    propagate
    credentials to a session bean implementing a Web Service, or some
    configuration tasks are required on the WebLogic Web Server Components
    Jerzy Nawrot
    "Michael Wooten" <[email protected]> wrote in message
    news:[email protected]...
    Hi Jerzy,
    You must do this through the WebServiceProxy object. The methods
    you
    want
    are:
    setUserName(String userName);
    setPassword(String password);
    The internals of WebServiceProxy will Base64 encode the password
    before
    it
    invokes
    the target web service.
    Regards,
    Mike Wooten
    "Jerzy Nawrot" <[email protected]> wrote:
    Hi All,
    Does anybody provide me some information about propagating client
    credentials to the Web Service. Agree with documentation I have
    tried
    as in
    code below, but it doesn't work. On a server i still have a guestuser.
    Thanks in advance for any help.
    Properties h = new Properties();
    h.put(Context.INITIAL_CONTEXT_FACTORY,
    "weblogic.soap.http.SoapInitialContextFactory");
    h.put("weblogic.soap.wsdl.interface",
    RaServices.class.getName() );
    h.put(Context.SECURITY_AUTHENTICATION,"simple");
    h.put(Context.SECURITY_PRINCIPAL,"user");
    h.put(Context.SECURITY_CREDENTIALS,"password");
    Context context = new InitialContext(h);

  • "Ticket authentication failed" error in Principal Propagation scenario

    Hi All,
    I am working on Principal Propagation, where the scenario is sync RFC-PI-RFC. I have followed all steps mentioned in the below blog. When I execute the scenario (with Principal propagation box checked in the sender agreement) I get dump while executing the RFC from sender system. The dump is:
    "Ticket authentication failed"
    Scenario works fine if I don't check Principal propagation check box in the sender agreement.
    Principal Propagation blog: /people/alexander.bundschuh/blog/2007/01/16/principal-propagation-in-sap-xi
    Can anyone suggest what can be the reason for this dump?
    Thanks,
    Shweta.

    Hi All,
    Any inputs on this?
    Thanks,
    Shweta.

  • Error while configuring Principal Propagation

    Hi,
    I am trying to configure Principal Propagation for a Proxy -> PI -> RFC, sync scenario. I am working on PI 7.1 SP6 and when i am trying to configure the "Configuration Adapter" in JAVA stack i am not able to find the following config. properties:
    1.) login.ticket_keyalias = SAPLogonTicketKeypair.
    2.) login.ticket_keystore = TicketKeystore.
    I have checked in both NWA of PI 7.1 as well as the basis guys have checked the config. tool of the local server.
    Rest all the configuration have been done but i am getting the following error in the response message of the moni -
    "  com.sap.engine.interfaces.messaging.api.exception.MessagingException: com.sap.aii.adapter.rfc.afcommunication.RfcAFWException: error while processing message to remote system:com.sap.aii.adapter.rfc.core.client.RfcClientException: could not get a client from JCO.Pool: com.sap.mw.jco.JCO$Exception: (103) RFC_ERROR_LOGON_FAILURE: Issuer of SSO ticket is not authorized "
    Please help.
    Thanks!!!

    Hi,
    Plz check below parameters at R/3 side and set value as mentioned below.
    login/accept_sso2_ticket=1
    login/create_sso2_ticket=2
    then test Jco's.

  • Sql Server 2012 Login Failed for user "NT Authority\System"

    I have installed SQL Server on a new server. I have been getting the following error on each of the database in it.
    Login failed for user 'NT AUTHORITY\SYSTEM'. Reason: Failed to open the explicitly specified database 'ABC'. [CLIENT: xxx.xxx.xxx.xxx]
    Here is some information on the instance:
    1) Default instance
    2) SQL Server, Sql Server Agent, Sql Server Reporting services are running / log on using a domain service account.
    3) Sql Server Browser is disabled.
    4) SQL Server VSS Writer is running / log on as Local Service.
    5) NT AUTHORITY\SYSTEM does exists in Login with just public server roles.
    I ran a trace on login failed and I get:
    ApplicationName: Microsoft Windows Script Host
    and it runs every 15 minutes.
    Help please?

    Hi,
    The error was thrown when the SCOM components connected to the backend SCOM databases.
     You can specify a domain account, grant it the sysadmin role and the error should be gone.
    Also, see the replies in your previous thread:
    http://social.technet.microsoft.com/Forums/en-US/23f6b6cb-ec41-4117-8613-26d24c948827/login-failed-for-user-username-reason-failed-to-open-the-explicitly-specified-database
    Thanks.
    Tracy Cai
    TechNet Community Support

Maybe you are looking for