Reg: webservice - authority check failed
hi friends
i have created a Webservice for FM- BAPI_COMPANYCODE_GETLIST . after creating that i have tested in the case then i found a error that
"An error has occurred. Maybe the request is not accepted by the server : Authority check failed "
what are the necessary authority checks has to be done.
Thanks & Regards
suman
Hi,
Which WAS should it be the I configured. The ESA or our own?
I have configured our own WAS as described in the tutorial. Here I tried to set up the username and password and I was able to send the request.
But I'm just accessing the test system and it is there I get the error.
Similar Messages
-
I have created a Web Service for a Function Module in ECC 5.0. I was able to generate the proxy using SE37--> Web Wizard. I can see the Web Service in WSADMIN, WSCONFIG, SICF.
I am using the WSADMIN and Test Tool to generate a request for testing the proxy hosted on my ECC 5.0 system. I am finding this particular error relating Authorization. We have granted most of the Authorzations. Any Clue on how to resolve?
Request Object
POST /sap/bc/srt/rfc/sap/ZWS_CONCATENATE_STRING?sap-client=100 HTTP/1.1
Host: sapdbs.foxboro.com:8000
Content-Type: text/xml; charset=UTF-8
Connection: close
Authorization: <value is hidden>
Content-Length: 559
SOAPAction: ""
<?xml version="1.0" encoding="UTF-8" ?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"><SOAP-ENV:Header><sapsess:Session xmlns:sapsess="http://www.sap.com/webas/630/soap/features/session/"><enableSession>true</enableSession></sapsess:Session></SOAP-ENV:Header><SOAP-ENV:Body><ns1:Ztest4 xmlns:ns1='urn:sap-com:document:sap:soap:functions:mc-style'><Par1>str1</Par1><Par2>str2</Par2></ns1:Ztest4></SOAP-ENV:Body></SOAP-ENV:Envelope>
Response Object
HTTP/1.1 500 Internal Server Error
Set-Cookie: <value is hidden>
content-type: text/xml; charset=utf-8
content-length: 363
sap-srt_id: 20091117/102452/v1.00_final_6.40/4B02B94392E30041000000000A9BAC6E
server: SAP Web Application Server (1.0;640)
<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/"><soap-env:Body><soap-env:Fault><faultcode xmlns:n0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">n0:FailedAuthentication</faultcode><faultstring xml:lang="e">Authority check failed</faultstring></soap-env:Fault></soap-env:Body></soap-env:Envelope>
Thanks.Hi,
This means your userid/password don't have sufficient authorization.
do following:
- Grant following authorization using SU01 : *WEBSERVICE* (search for all role with webservice)
- If above doesn't work then check if your user exist in visual admin secure store (java side). Usually visual admin secure store point to ABAP client for user sync but it is possible it is not configured to right client (instead pointing to client 001).
- check service with third party tool like SOAP UI (provide ur userid/password as well) - if it is working from here then it means you have problem with userid on java side (use visual admin to troubleshoot).
Regards,
Gourav -
Web Service Homepage: Authority check failed
Dear Colleagues,
I have created a Web Service and now I want to test it via its Web Service Homepage (TA WSADMIN). The Homepage is displayed correctly, but testing leads to an error:
Authority check failed
Are there any prerequisites I maybe do not accomplish?
(I tested a very similar web service in another system, and there it works)
Here are some more information about my service:
- Service was build with Web Service Wizzard out of a function module
- Here you can see the conversation resulting of the test:
POST /sap/bc/srt/rfc/sap/Z_TEST_Q73_CONFIG_WS?sap-client=003 HTTP/1.1
Host: bsl8011.wdf.sap.corp:50073
Content-Type: text/xml; charset=UTF-8
Connection: close
Cookie: <value is hidden>
Cookie: <value is hidden>
Authorization: <value is hidden>
Content-Length: 381
SOAPAction: ""
<?xml version="1.0" encoding="UTF-8" ?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Body>
<ns1:Z_TEST_WS_CONFIG xmlns:ns1='urn:sap-com:document:sap:rfc:functions'>
<INPUT>TEST</INPUT>
</ns1:Z_TEST_WS_CONFIG>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
HTTP/1.1 500 Internal Server Error
content-type: text/xml; charset=utf-8
content-length: 363
sap-srt_id: 20060404/125124/v1.00_final_6.40/1B0831447838C429E10000000A424016
server: SAP Web Application Server (1.0;700)
<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
<soap-env:Body>
<soap-env:Fault>
<faultcode xmlns:n0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">n0:FailedAuthentication</faultcode>
<faultstring xml:lang="e">Authority check failed</faultstring>
</soap-env:Fault>
</soap-env:Body>
</soap-env:Envelope>
The WSDL-Document looks as follows:
<?xml version="1.0" encoding="utf-8"?><wsdl:definitions targetNamespace="urn:sap-com:document:sap:rfc:functions" xmlns:http="http://schemas.xmlsoap.org/wsdl/http/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="urn:sap-com:document:sap:rfc:functions" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><wsdl:types><xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:tns="urn:sap-com:document:sap:rfc:functions" targetNamespace="urn:sap-com:document:sap:rfc:functions" elementFormDefault="unqualified" attributeFormDefault="qualified"><xsd:simpleType name="char60"><xsd:restriction base="xsd:string"><xsd:maxLength value="60"/></xsd:restriction></xsd:simpleType><xsd:element name="Z_TEST_WS_CONFIG"><xsd:complexType><xsd:sequence><xsd:element name="INPUT" minOccurs="0" type="tns:char60"/></xsd:sequence></xsd:complexType></xsd:element><xsd:element name="Z_TEST_WS_CONFIGResponse"><xsd:complexType><xsd:sequence><xsd:element name="OUTPUT" type="tns:char60"/></xsd:sequence></xsd:complexType></xsd:element></xsd:schema></wsdl:types><wsdl:message name="Z_TEST_WS_CONFIG"><wsdl:part name="parameters" element="tns:Z_TEST_WS_CONFIG"/></wsdl:message><wsdl:message name="Z_TEST_WS_CONFIGResponse"><wsdl:part name="parameters" element="tns:Z_TEST_WS_CONFIGResponse"/></wsdl:message><wsdl:portType name="Z_TEST_Q73_CONFIG_WS"><wsdl:operation name="Z_TEST_WS_CONFIG"><wsdl:input message="tns:Z_TEST_WS_CONFIG"/><wsdl:output message="tns:Z_TEST_WS_CONFIGResponse"/></wsdl:operation></wsdl:portType><wsdl:binding name="Z_TEST_Q73_CONFIG_WSSoapBinding" type="tns:Z_TEST_Q73_CONFIG_WS"><soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/><wsdl:operation name="Z_TEST_WS_CONFIG"><soap:operation soapAction=""/><wsdl:input><soap:body use="literal"/></wsdl:input><wsdl:output><soap:body use="literal"/></wsdl:output></wsdl:operation></wsdl:binding><wsdl:service name="Z_TEST_Q73_CONFIG_WSService"><wsdl:port name="Z_TEST_Q73_CONFIG_WSSoapBinding" binding="tns:Z_TEST_Q73_CONFIG_WSSoapBinding"><soap:address location="http://bsl8011.wdf.sap.corp:50073/sap/bc/srt/rfc/sap/Z_TEST_Q73_CONFIG_WS?sap-client=003"/></wsdl:port></wsdl:service></wsdl:definitions>
Can anyone help me, I have no Idea
Message was edited by: Hans-Peter BauerThe message server defined in the SAP-Logon is us4278.wdf.sap.corp
But the url of the web service starts with http://us4185:58500/wsnavigator/jsps/explorer.jsp?description=WebServiceZ_TEST_Q73_CONFIG_WS
But I think that's not the problem, is it? As I mentioned above the test page can be shown, but the after filling in the input parameters an pressing send, there appears the authorisation error.
For better illustration I made some screenshots for you:
1) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_OVERVIEW.gif
2) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_TEST_INPUT_FORM.gif
3) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_TEST_reqest_response.gif
What can be wrong, if the error "n0:FailedAuthentication" appears?
Regards,
Peter
Message was edited by: Hans-Peter Bauer -
I have tried to implement the PO create example as descriped in the document "Consuming Service Operations using SAP NetWeaver Studio". When I run the example I cannot create an order. I get the error "Authority check failed" when I try to run the example. I have entered the correct password, because, if the password is wrong I get a (401) Unauthorized from the server.
I have also tried to make a Webdynpro application which used the same service, with the same result.
I have also tried with a collages user, which gave the same error.
In the webgui for the FT2 system, it seems like the user does not have access to the PO create transaction (ME21).Hi,
Which WAS should it be the I configured. The ESA or our own?
I have configured our own WAS as described in the tutorial. Here I tried to set up the username and password and I was able to send the request.
But I'm just accessing the test system and it is there I get the error. -
Protocol of failed authority check - analogue to SU53
Hello
I'm looking for way to retrieve the last failed authority check when a user interacts with a WDA application. Transaction SU53 seems not to protocol such failed authority checks when executed in WDA runtime.
Thanks,
Mathiass
-
Hi all,
can anyone explain what this statement does.
authority-check object 'Z_Abc_def'
id 'ZAbc_defI' field '*'.
Thanks in advanceCheck the sap provided help:
here is an excerpt:
AUTHORITY-CHECK
Basic form
AUTHORITY-CHECK OBJECT object
ID name1 FIELD f1
ID name2 FIELD f2
ID name10 FIELD f10.
Effect
Explanation of IDs:
object
Field which contains the name of the object for which the authorization is to be checked.
name1 ...
Fields which contain the names of the
name10
authorization fields defined in the object.
f1 ...
Fields which contain the values for which the
f10
authorization is to be checked.
AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).
You must specify all authorizations for an object and a also a value for each ID (or DUMMY).
The system checks the values for the IDs by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.
If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.
If the return code value in SY-SUBRC is 0, the user has the required authorization and may continue.
The return code value changes according to the different error scenarios. The return code values have the following meaning:
4
User has no authorization in the SAP System for such an action. If necessary, change the user master record.
8
Too many parameters (fields, values). Maximum allowed is 10.
12
Specified object not maintained in the user master record.
16
No profile entered in the user master record.
24
The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.
28
Incorrect structure for user master record.
32
Incorrect structure for user master record.
36
Incorrect structure for user master record.
If the return code value is 8 or 24, inform the person responsible for the program. If the return code value is 4, 12, 16 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP because authorizations have probably been destroyed.
Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.
Note
Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check is performed for the field concerned.
The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.
Example
Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:
Table OBJ: Definition of authorization object
M_EINF_WRK
ACTVT
WERKS
Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations
M_EINF_WRK_BERECH1
ACTVT 01-03
WERKS 0001-0003 .
can display and change plants within the Purchasing and Materials Management areas.
Such a user would thus pass the checks
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD '0002'
ID 'ACTVT' FIELD '02'.
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' DUMMY
ID 'ACTVT' FIELD '01':
but would fail the check
AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
ID 'WERKS' FIELD '0005'
ID 'ACTVT' FIELD '04'.
To suppress unnecessary authorization checks or to carry out checks before the user has entered all the values, use DUMMY - as in this example. You can confirm the authorization later with another AUTHORITY-CHECK.
Regards,
ravi -
Reg:Authority Check object
Dear All,
I am calling two authority check object M_MATE_MAR and M_MSEG_BMB in my report.
Now for a user if i see the Role the second object M_MSEG_BMB is maintained and the object M_MATE_MAR is not maintained.
Now in my program for the object M_MATE_MAR(as it is not maintained),my sy-subrc is returning 12,hence check faing and for
M_MSEG_BMB sy-subrc = 4 as check is failng.
My requirement is the user should not see some movement types irrespective of the material ,
If i pass a material in the selection screen report , movement type records are deleting fine along with that others are alos deleting becs of sy-subrc <> 0(sy-subrc = 12).so i get a blank report as output.
so wht should be done in my case.
RegardsHi Rajendra,
When you hit F1 on the Authority-check,
If Sy-subrc = 4, Authorization check not successful. One or several authorizations were indeed found for the authorization object in the user master record and they include the value sets, but not the values specified, or incorrect or too many authorization fields were specified.
If Sy-subrc = 12, No authorization was found for the authorization object in the user master record.
When Sy-subrc = 24, Incorrect authorization fields or an incorrect number of authorization fields was found. This return value is no longer set since Release 6.20. Up to Release 4.6 it is set only if the profile parameter "auth/new_buffering" has a value less than 3.
When sy-subrc = 40, An invalid user ID has been entered in user.
Hope it helps.
Sujay -
Hi Everybody ,
Can anyone send me the PPT for authority check .
My mail id is [email protected]
Regards ,
Senthil .Hi,
You can check in the below SAP link, this is having the Screen shots also ..
http://help.sap.com/saphelp_46c/helpdata/en/5c/deaa74d3d411d3970a0000e82de14a/content.htm
http://www.sapdevelopment.co.uk/security/authority/authhome.htm
Regards
Sudheer -
Java ME 8 Permission check failed when opening a serial port
I have a larger Jave ME8.1 application that was going well until I tried to add one last piece, reading and writing data from a serial port. This was left to last because it is trivial, at least in most programming languages. The is IDE NetBeans 8.0.2 running on a Windows 7 PC. The platform is a Raspberry Pi B or B+ (I have tried both) with the most current Raspbian (12/24/2014 I believe). To simplify the process I created a new app with just the open and close code and this generates the same error I am experiencing in the larger application. The program is as follows:
package javamecomapp;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.microedition.io.CommConnection;
import javax.microedition.io.Connector;
import javax.microedition.midlet.MIDlet;
* @author ****
public class JavaMEcomApp extends MIDlet {
static int BAUD_RATE = 38400;
static String SERIAL_DEVICE = "ttyAMA0";
static CommConnection commConnection = null;
static OutputStream os = null;
static InputStream is = null;
static String connectorString;
private int rtnValue = -1;
@Override
public void startApp() {
java.lang.System.out.println("Opening comm port.");
try {
rtnValue = JavaMEcomApp.openComm();
} catch (IOException ex) {
Logger.getLogger(JavaMEcomApp.class.getName()).log(Level.SEVERE, null, ex);
@Override
public void destroyApp(boolean unconditional) {
java.lang.System.out.println("Closing comm port.");
try {
rtnValue = JavaMEcomApp.closeComm();
} catch (IOException ex) {
Logger.getLogger(JavaMEcomApp.class.getName()).log(Level.SEVERE, null, ex);
private static int openComm()throws IOException {
java.lang.System.out.println("Opening comm port.");
connectorString = "comm:" + SERIAL_DEVICE + ";baudrate=" + BAUD_RATE;
commConnection = (CommConnection)Connector.open(connectorString);
is = commConnection.openInputStream();
os = commConnection.openOutputStream();
return 0;
private static int closeComm()throws IOException {
java.lang.System.out.println("Closing comm port.");
is.close();
os.close();
commConnection.close();
return 0;
If I comment out the JavaMEcomApp.openComm and closeComm lines it runs fine. When they are included, the following error is dumped to the Raspberry Pi terminal:
Opening comm port.
Opening comm port.
[CRITICAL] [SECURITY] iso=2:Permission check failed: javax.microedition.io.CommProtocolPermission "comm:ttyAMA0;baudrate=38400" ""
TRACE: <at java.security.AccessControlException: >, startApp threw an Exception
java.security.AccessControlException:
- com/oracle/meep/security/AccessControllerInternal.checkPermission(), bci=118
- java/security/AccessController.checkPermission(), bci=1
- com/sun/midp/io/j2me/comm/Protocol.checkForPermission(), bci=16
- com/sun/midp/io/j2me/comm/Protocol.openPrim(), bci=31
- javax/microedition/io/Connector.open(), bci=77
- javax/microedition/io/Connector.open(), bci=6
- javax/microedition/io/Connector.open(), bci=3
- javamecomapp/JavaMEcomApp.openComm(), bci=46
- javamecomapp/JavaMEcomApp.startApp(), bci=9
- javax/microedition/midlet/MIDletTunnelImpl.callStartApp(), bci=1
- com/sun/midp/midlet/MIDletPeer.startApp(), bci=5
- com/sun/midp/midlet/MIDletStateHandler.startSuite(), bci=246
- com/sun/midp/main/AbstractMIDletSuiteLoader.startSuite(), bci=38
- com/sun/midp/main/CldcMIDletSuiteLoader.startSuite(), bci=5
- com/sun/midp/main/AbstractMIDletSuiteLoader.runMIDletSuite(), bci=130
- com/sun/midp/main/AppIsolateMIDletSuiteLoader.main(), bci=26
java.security.AccessControlException:
- com/oracle/meep/security/AccessControllerInternal.checkPermission(), bci=118
- java/security/AccessController.checkPermission(), bci=1
- com/sun/midp/io/j2me/comm/Protocol.checkForPermission(), bci=16
- com/sun/midp/io/j2me/comm/Protocol.openPrim(), bci=31
- javax/microedition/io/Connector.open(), bci=77
- javax/microedition/io/Connector.open(), bci=6
- javax/microedition/io/Connector.open(), bci=3
- javamecomapp/JavaMEcomApp.openComm(), bci=46
- javamecomapp/JavaMEcomApp.startApp(), bci=9
- javax/microedition/midlet/MIDletTunnelImpl.callStartApp(), bci=1
- com/sun/midp/midlet/MIDletPeer.startApp(), bci=5
- com/sun/midp/midlet/MIDletStateHandler.startSuite(), bci=246
- com/sun/midp/main/AbstractMIDletSuiteLoader.startSuite(), bci=38
- com/sun/midp/main/CldcMIDletSuiteLoader.startSuite(), bci=5
- com/sun/midp/main/AbstractMIDletSuiteLoader.runMIDletSuite(), bci=130
- com/sun/midp/main/AppIsolateMIDletSuiteLoader.main(), bci=26
Closing comm port.
Closing comm port.
TRACE: <at java.lang.NullPointerException>, destroyApp threw an Exception
java.lang.NullPointerException
- javamecomapp/JavaMEcomApp.closeComm(), bci=11
- javamecomapp/JavaMEcomApp.destroyApp(), bci=9
- javax/microedition/midlet/MIDletTunnelImpl.callDestroyApp(), bci=2
- com/sun/midp/midlet/MIDletPeer.destroyApp(), bci=6
- com/sun/midp/midlet/MIDletStateHandler.startSuite(), bci=376
- com/sun/midp/main/AbstractMIDletSuiteLoader.startSuite(), bci=38
- com/sun/midp/main/CldcMIDletSuiteLoader.startSuite(), bci=5
- com/sun/midp/main/AbstractMIDletSuiteLoader.runMIDletSuite(), bci=130
- com/sun/midp/main/AppIsolateMIDletSuiteLoader.main(), bci=26
java.lang.NullPointerException
- javamecomapp/JavaMEcomApp.closeComm(), bci=11
- javamecomapp/JavaMEcomApp.destroyApp(), bci=9
- javax/microedition/midlet/MIDletTunnelImpl.callDestroyApp(), bci=2
- com/sun/midp/midlet/MIDletPeer.destroyApp(), bci=6
- com/sun/midp/midlet/MIDletStateHandler.startSuite(), bci=376
- com/sun/midp/main/AbstractMIDletSuiteLoader.startSuite(), bci=38
- com/sun/midp/main/CldcMIDletSuiteLoader.startSuite(), bci=5
- com/sun/midp/main/AbstractMIDletSuiteLoader.runMIDletSuite(), bci=130
com/sun/midp/main/AppIsolateMIDletSuiteLoader.main(), bci=26
I have tried this with three different serial ports, /dev/ttyAMA0 (yes I did disable the OS from using it), an arduino board /dev/ttyACM0, and a USB to RS485 adaptor /dev/ttyUSB0. All of these ports could be connected and use normally with both a C program and terminal program in the Pi. The API Permissions were set in the project properties / Application Descriptor / API Permissions to jdk.dio.DeviceMgmtPermission "/dev/ttyAMA0". This of course was changed as I tested different devices.
I found a reference suggesting adding the line "authentication.provider = com.oracle.meep.security.NullAuthenticationProvider" to the end of the jwc_properties.ini file. This had no effect. I found references that during development in eclipse and NetBeans, the app is already elevated to the top level so this should not be an issue until deployment. This does not appear to be the case.
I am out of time and need a solution quickly. Any suggestions are welcome.Terrence,
Thank you for responding and confirming the issues I'm having with static addressing. As far as the example above, I do have the standard LEDs working correctly, however, the example I'm referring to above is from the JavaME samples using the GPIO Port for the LEDS, according to the Device I/O Preconfigured List you referenced:
GPIO Ports
The following GPIO ports are preconfigured.
Devicel ID
Device Name
Mapped
Configuration
8
LEDS
PTB22
PTE26
PTB21
direction = 1 (Output only)
initValue = 0
GPIOPins:
controllerNumber = 1
pinNumber = 22
mode = 4 (Push-pull mode)
controllerNumber = 4
pinNumber = 26
mode = 4 (Push-pull mode)
controllerNumber = 1
pinNumber = 21
mode = 4 (Push-pull mode)
So is the assumption that using GPIOPort for accessing the GPIO port for Device ID 8 as listed in the Device I/O Preconfigured list not supported? -
EMC - Certificate status could not be determined because revocation check failed.
I've exhausted my resources on this issue and am reaching out for some assistance. I have setup Server 2008 R2 Enterprise SP1, running Exchange 2010 SP1. In EMC I have successfully imported a GoDaddy SSL certificate. Although I am receiving the message -
"The certificate status could not be determined because the revocation check failed."
Here are the steps I've taken to troubleshoot this so far:
[PS] C:\Users\Administrator\Desktop>netsh winhttp show proxy
Current WinHTTP proxy settings:
Direct access (no proxy server).
As you can see, direct access. Which is true, no proxy's on this network.
For good measure, I'll dump the urlcache.
certutil -urlcache ocsp delete
certutil -urlcache crl delete
Both return 0, reboot server.
Comes back up, same message in EMC.
From PS, I test exactly what its getting from GoDaddy.
[PS] C:\Users\Administrator\Desktop>certutil -f -urlfetch -verify mail.fluxlabs.net.crt
Issuer:
SERIALNUMBER=07969287
CN=Go Daddy Secure Certification Authority
OU=http://certificates.godaddy.com/repository
O=GoDaddy.com, Inc.
L=Scottsdale
S=Arizona
C=US
Subject:
CN=mail.fluxlabs.net
OU=Domain Control Validated
O=mail.fluxlabs.net
Cert Serial Number: 27b60918638e0d
dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=S
cottsdale, S=Arizona, C=US
NotBefore: 8/20/2011 7:49 PM
NotAfter: 8/20/2012 7:16 PM
Subject: CN=mail.fluxlabs.net, OU=Domain Control Validated, O=mail.fluxlabs.net
Serial: 27b60918638e0d
SubjectAltName: DNS Name=mail.fluxlabs.net, DNS Name=www.mail.fluxlabs.net
33 49 57 5d 6e d8 6b aa b9 61 73 95 44 07 c9 2e 55 6e 47 10
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 4
[0.0] http://certificates.godaddy.com/repository/gd_intermediate.crt
---------------- Certificate CDP ----------------
Expired "Base CRL (05)" Time: 4
[0.0] http://crl.godaddy.com/gds1-55.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
Expired "OCSP" Time: 4
[0.0] http://ocsp.godaddy.com/
CRL (null):
Issuer: CN=Go Daddy Validation Authority, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
e5 53 19 6c 54 87 8c 62 23 1b b9 11 e1 d8 3d 3f b2 04 77 3f
Issuance[0] = 2.16.840.1.114413.1.7.23.1
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
NotBefore: 11/15/2006 8:54 PM
NotAfter: 11/15/2026 8:54 PM
Subject: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=
Scottsdale, S=Arizona, C=US
Serial: 0301
7c 46 56 c3 06 1f 7f 4c 0d 67 b3 19 a8 55 f6 0e bc 11 fc 44
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Verified "Base CRL" Time: 4
[0.0] http://certificates.godaddy.com/repository/gdroot.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
Expired "OCSP" Time: 4
[0.0] http://ocsp.godaddy.com
CRL (null):
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
da 1e d5 63 5c 05 58 50 4e db d2 4e e8 9d 28 9d c4 36 b3 1e
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
CertContext[0][2]: dwInfoStatus=109 dwErrorStatus=0
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
NotBefore: 6/29/2004 12:06 PM
NotAfter: 6/29/2034 12:06 PM
Subject: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
Serial: 00
27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4
Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
Exclude leaf cert:
b1 04 4b 90 a1 d3 48 de 46 bd d7 50 20 e3 44 b8 3f 68 39 f7
Full chain:
68 36 4d 37 2e 96 bd d2 aa 77 3f d0 e8 78 a9 e6 68 bd 7d 71
Verified Issuance Policies:
2.16.840.1.114413.1.7.23.1
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
1.3.6.1.5.5.7.3.2 Client Authentication
Cert is an End Entity certificate
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was
offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.
As you can see, the "revocation server is offline."
So I run the same test from another server on the LAN.
Verified Issuance Policies:
2.16.840.1.114413.1.7.23.1
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
1.3.6.1.5.5.7.3.2 Client Authentication
Cert is an End Entity certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
It passes. The server's firewall has been disabled. DNS cache has been cleared. I have verified everything I can, and still failing to verify.[PS] C:\Users\Administrator\Desktop>Get-ExchangeCertificate |fl
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.Acces
trol.CryptoKeyAccessRule}
CertificateDomains : {mail.fluxlabs.net, www.mail.fluxlabs.net}
HasPrivateKey : True
IsSelfSigned : False
Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy
, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 8/20/2012 7:16:57 PM
NotBefore : 8/20/2011 7:49:30 PM
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 27B60918638E0D
Services : IMAP, POP, IIS, SMTP
Status : RevocationCheckFailure
Subject : CN=mail.fluxlabs.net, OU=Domain Control Validated, O=mail.fluxlabs.net
Thumbprint : 3349575D6ED86BAAB96173954407C92E556E4710
[PS] C:\Users\Administrator\Desktop>Enable-ExchangeCertificate -Thumbprint 3349575D6ED86BAAB96173954407C92E556E4710 -Services POP,IMAP,SMTP,IIS
The command has already been executed. Yes, I have seen those sites. Neither have worked. Like I said, it is directly connected; and no proxies are set.
-- Jeremy MCSpadden Flux Labs -
AUTHORITY-CHECK & customized program
Hi,
I've applied an authority-check to my customized program. What I did was, I've created an authorization object name 'ZFI_PGRM' in SU21 and tie it with authorization fields BUKRS, ACTVT. This authority-check will validate on the company code (BUKRS) entered from the selection screen. Below are my lines in the customized program :
DATA: text TYPE string,
m_text TYPE string.
text = 'You are not authorised for Company Code'.
DATA: t_t001 LIKE t001 OCCURS 0 WITH HEADER LINE..
SELECT * FROM t001
INTO TABLE t_t001
WHERE bukrs IN s_bukrs.
LOOP AT t_t001.
AUTHORITY-CHECK OBJECT 'ZFI_PGRM'
ID 'BUKRS' FIELD t_t001-bukrs
ID 'ACTVT' FIELD '03'.
IF sy-subrc <> 0.
CONCATENATE text t_t001-bukrs INTO m_text SEPARATED BY space.
ENDIF.
ENDLOOP.
At the same time BASIS tie the autorization object 'ZFI_PGRM' to the user role in order to access the program using PFCG. The problem now is the result that I'm getting always SY-SUBRC = 12 eventhough the user is allowed to access the company's report. Please help...
HaryatiRun transaction SU53 after the auth check fails and maybe it will give you a clue as to what is going on.
-
User role and Authority-check ?
Hello,
Could you please let me know how are the differences between User role and Authority-check. In a program I do not use Authority-check , And The user is not assigned to user role which contain this transaction ( for this program), Can the user execute this transaction OR he must be assigned to user role which contain this transaction to execute it . Supposing that we do not use any Authority-check in then program.
Thanks in advanceHello Martin,
I think this answers the OP's question about user not being assigned the role which contains the trxn code. As you have explained in this case the default auth. check for S_TCODE will fail & user cannot execute the trxv. (If i remember correctly the tables for this are AGR_USERS & AGR_TCODES)
Anyways just to add to the OP's query. Auth. objects are added to profiles which in turn assigned to roles. So if you implement the auth. object in your program the user must also subscribe to the role containing the auth. obj. profile to be able to execute it.
@OP:
The transactions PFCG & SUIM might interest you. Also the tables dealing with these stuffs begin with AGR*. You can check the tables for better understanding.
BR,
Suhas -
Analize authority checks in web dynpro processing
Hi,
I'm facing strange things here.
A user was reported not to be able to successfully use a function provided in our system:
We provide a function for use of our call center agents that will reprocess and output document and send it by mail to the customer. It looks as if it worked but the mail is not sent.
I started SE80 with my own user and put some external breakpoints in the webdynpro code for the agents username. Then I started the webdynpro application by entering the URL into the browser and logging in with the agent's credentials.
On my first try, the debugger started ehen the external breakpoint was reached. SY-UNAME was the agent's name but everything went fine.
Obviously the authority checks where done for my own user although there was a different sy-uname.
I logged off completely and started a second time. I used my owner user to set the external breakpoints because the agent's user has no rights for development, just restricted to a couple of roles.
This time I got a rabax state error - the dump was caused because the agent's user does not have authority for debug. The rabax error shoed me the call hierarchy and pointed to the method where I set the external breakpoint.
So, is the any way to come close to the code where authorization check fails?
Or - which we could try: What are the roles/profiles for use of SAPOFFICE? (in SU53, we can see failed checks, but it looks strange as there are failed authority-checks for ...ADMIN - dont know exactly because now I', home and don't have remote access).
Good ideas always welcome!
Note: Nobody knows why this function is implemented in Webdynpro but we have to live with it and get it working for this group of agents.
Regards
ClemensTraditionally I would probably have used ST01 with the "Authorization check" option and general filters to log which authority checks are working / failing.
But now I quite like using ST05 (SQL Trace) instead as drilldown to the code is available ... you can tick the "Buffer Trace" option and "Activate Trace with Filter" to log the other user's calls - this will then display lots of references to tables USOBX_C and USRBF2 - drilling to the code on these usually gives you the "authority-check object 'xyz' .." details.
Jonathan -
ICF Connector Must Understand check failed
We are building an ICF connetor, and need to send the user credential and timestamp using WS-Security. We have created a project in JDeveloper. And after deployed it and tested in OIM EM console, we got the error message: oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: Client received SOAP Fault from server : Must Understand check failed for headers.
The options we have tried is adding a ws-security policy in composite.xml and adding username and password for binding properties and the protocol used is SOAP 1.2.Hi Delhi,
I saw the note 1161907.1, but It applies for Child OU creation.
In our case the pObjDN is incomplete. -
Authority Check on B_USERSTAT not working
Hi Gurus,
I have a simple question on authority check that I cant quite understand.
Basis has created auth key : ZWP_CCS, where by user with the auth key can create,change, delete.
so, in my code, I have implemented the following. However, it seems that all user, even though from different auth key can still pass thru. Is there something that I miss? Thanks.
AUTHORITY-CHECK OBJECT 'B_USERSTAT'
ID 'ACTVT' FIELD '02'
ID 'BERSL' FIELD 'ZWP_CCS'
ID 'STSMA' FIELD 'ZS_IRC'.
Edited by: Julius Bussche on Jan 1, 2009 1:32 PM
More meaningfull subject title added.Hi
use without qoutes if it is a variable .
AUTHORITY-CHECK OBJECT 'B_USERSTAT'
ID 'ACTVT' FIELD '02'
ID 'BERSL' FIELD ZWP_CCS
ID 'STSMA' FIELD ZS_IRC.
and
if sy-subrc <> 0.
message " error ".
endif.
reg
Ramya
Edited by: Ramya S on Dec 31, 2008 5:43 AM
Maybe you are looking for
-
How can I change the name of the HD and Home Folder?
Recently, I had a problem with my computer in which a prohibition sign came up instead of apple logo at start up. I took it to an Apple Store, and they told me that the mistake was in the HD, that they needed to restart the system, so I told them OK,
-
How to run a java program via a batch file,which is called from a webserver
REM This batch file runs the Spider with the [-v] option. REM Lines 51 through 54 are simple DOS commands..they call the Spider REM The location of the Spider package is the important piece of information here... REM a batch file has access to the wh
-
Access Priveleges Error Message - Cannot Trasnfer Songs to iPod Nano
I download songs and then try to transfer from iTunes to my Nano but nothing happens. I've tried both manually and automatic - neither work. But when I did try to drag the tunes to the iPod icon I got the following error message: "You do not have eno
-
Why does CC need my login every time I launch a CC program?
On my Windows 7 64 bit system with some CS6 and CC programs and running from an administrator account with UAC set at "never notify" I'm being asked for my login just about every time I launch any CC program. This is has been slowly getting. This is
-
Impossible to render full HD after Mavericks 10.9.3
Hello, I've updated Mavericks on my Mac (2011 / 2;8 ghz i7 / 8 go Ram). Since, impossible to render full hd project (the same i was rendering without problem 2 days ago). I've got the message : "unable to allocate space for a ...." Could you help me