Reg: webservice - authority check failed

Similar Messages

• Authority Check Failed

  I have created a Web Service for a Function Module in ECC 5.0. I was able to generate the proxy using SE37--> Web Wizard. I can see the Web Service in WSADMIN, WSCONFIG, SICF. 
  I am using the WSADMIN and Test Tool to generate a request for testing the proxy hosted on my ECC 5.0 system. I am finding this particular error relating Authorization. We have granted most of the Authorzations. Any Clue on how to resolve?
  Request Object
  POST /sap/bc/srt/rfc/sap/ZWS_CONCATENATE_STRING?sap-client=100 HTTP/1.1
  Host: sapdbs.foxboro.com:8000
  Content-Type: text/xml; charset=UTF-8
  Connection: close
  Authorization: <value is hidden>
  Content-Length: 559
  SOAPAction: ""
  <?xml version="1.0" encoding="UTF-8" ?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"><SOAP-ENV:Header><sapsess:Session xmlns:sapsess="http://www.sap.com/webas/630/soap/features/session/"><enableSession>true</enableSession></sapsess:Session></SOAP-ENV:Header><SOAP-ENV:Body><ns1:Ztest4 xmlns:ns1='urn:sap-com:document:sap:soap:functions:mc-style'><Par1>str1</Par1><Par2>str2</Par2></ns1:Ztest4></SOAP-ENV:Body></SOAP-ENV:Envelope>
  Response Object
  HTTP/1.1 500 Internal Server Error
  Set-Cookie: <value is hidden>
  content-type: text/xml; charset=utf-8
  content-length: 363
  sap-srt_id: 20091117/102452/v1.00_final_6.40/4B02B94392E30041000000000A9BAC6E
  server: SAP Web Application Server (1.0;640)
  <soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/"><soap-env:Body><soap-env:Fault><faultcode xmlns:n0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">n0:FailedAuthentication</faultcode><faultstring xml:lang="e">Authority check failed</faultstring></soap-env:Fault></soap-env:Body></soap-env:Envelope>
  Thanks.

  Hi,
  This means your userid/password don't have sufficient authorization.
  do following:
  - Grant following authorization using SU01 : *WEBSERVICE* (search for all role with webservice)
  - If above doesn't work then check if your user exist in visual admin secure store (java side). Usually visual admin secure store point to ABAP client for user sync but it is possible it is not configured to right client (instead pointing to client 001).
  - check service with third party tool like SOAP UI (provide ur userid/password as well) - if it is working from here then it means you have problem with userid on java side (use visual admin to troubleshoot).
  Regards,
  Gourav

• Web Service Homepage: Authority check failed

  Dear Colleagues,
  I have created a Web Service and now I want to test it via its Web Service Homepage (TA WSADMIN). The Homepage is displayed correctly, but testing leads to an error:
  Authority check failed
  Are there any prerequisites I maybe do not accomplish?
  (I tested a very similar web service in another system, and there it works)
  Here are some more information about my service:
  - Service was build with Web Service Wizzard out of a function module
  - Here you can see the conversation resulting of the test:
  POST /sap/bc/srt/rfc/sap/Z_TEST_Q73_CONFIG_WS?sap-client=003 HTTP/1.1
  Host: bsl8011.wdf.sap.corp:50073
  Content-Type: text/xml; charset=UTF-8
  Connection: close
  Cookie: <value is hidden>
  Cookie: <value is hidden>
  Authorization: <value is hidden>
  Content-Length: 381
  SOAPAction: ""
  <?xml version="1.0" encoding="UTF-8" ?>
  <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema">
  <SOAP-ENV:Body>
  <ns1:Z_TEST_WS_CONFIG xmlns:ns1='urn:sap-com:document:sap:rfc:functions'>
  <INPUT>TEST</INPUT>
  </ns1:Z_TEST_WS_CONFIG>
  </SOAP-ENV:Body>
  </SOAP-ENV:Envelope>
  HTTP/1.1 500 Internal Server Error
  content-type: text/xml; charset=utf-8
  content-length: 363
  sap-srt_id: 20060404/125124/v1.00_final_6.40/1B0831447838C429E10000000A424016
  server: SAP Web Application Server (1.0;700)
  <soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
  <soap-env:Body>
  <soap-env:Fault>
  <faultcode xmlns:n0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">n0:FailedAuthentication</faultcode>
  <faultstring xml:lang="e">Authority check failed</faultstring>
  </soap-env:Fault>
  </soap-env:Body>
  </soap-env:Envelope>
  The WSDL-Document looks as follows:
  <?xml version="1.0" encoding="utf-8"?><wsdl:definitions targetNamespace="urn:sap-com:document:sap:rfc:functions" xmlns:http="http://schemas.xmlsoap.org/wsdl/http/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="urn:sap-com:document:sap:rfc:functions" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><wsdl:types><xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:tns="urn:sap-com:document:sap:rfc:functions" targetNamespace="urn:sap-com:document:sap:rfc:functions" elementFormDefault="unqualified" attributeFormDefault="qualified"><xsd:simpleType name="char60"><xsd:restriction base="xsd:string"><xsd:maxLength value="60"/></xsd:restriction></xsd:simpleType><xsd:element name="Z_TEST_WS_CONFIG"><xsd:complexType><xsd:sequence><xsd:element name="INPUT" minOccurs="0" type="tns:char60"/></xsd:sequence></xsd:complexType></xsd:element><xsd:element name="Z_TEST_WS_CONFIGResponse"><xsd:complexType><xsd:sequence><xsd:element name="OUTPUT" type="tns:char60"/></xsd:sequence></xsd:complexType></xsd:element></xsd:schema></wsdl:types><wsdl:message name="Z_TEST_WS_CONFIG"><wsdl:part name="parameters" element="tns:Z_TEST_WS_CONFIG"/></wsdl:message><wsdl:message name="Z_TEST_WS_CONFIGResponse"><wsdl:part name="parameters" element="tns:Z_TEST_WS_CONFIGResponse"/></wsdl:message><wsdl:portType name="Z_TEST_Q73_CONFIG_WS"><wsdl:operation name="Z_TEST_WS_CONFIG"><wsdl:input message="tns:Z_TEST_WS_CONFIG"/><wsdl:output message="tns:Z_TEST_WS_CONFIGResponse"/></wsdl:operation></wsdl:portType><wsdl:binding name="Z_TEST_Q73_CONFIG_WSSoapBinding" type="tns:Z_TEST_Q73_CONFIG_WS"><soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/><wsdl:operation name="Z_TEST_WS_CONFIG"><soap:operation soapAction=""/><wsdl:input><soap:body use="literal"/></wsdl:input><wsdl:output><soap:body use="literal"/></wsdl:output></wsdl:operation></wsdl:binding><wsdl:service name="Z_TEST_Q73_CONFIG_WSService"><wsdl:port name="Z_TEST_Q73_CONFIG_WSSoapBinding" binding="tns:Z_TEST_Q73_CONFIG_WSSoapBinding"><soap:address location="http://bsl8011.wdf.sap.corp:50073/sap/bc/srt/rfc/sap/Z_TEST_Q73_CONFIG_WS?sap-client=003"/></wsdl:port></wsdl:service></wsdl:definitions>
  Can anyone help me, I have no Idea
  Message was edited by: Hans-Peter Bauer

  The message server defined in the SAP-Logon is us4278.wdf.sap.corp
  But the url of the web service starts with  http://us4185:58500/wsnavigator/jsps/explorer.jsp?description=WebServiceZ_TEST_Q73_CONFIG_WS
  But I think that's not the problem, is it? As I mentioned above the test page can be shown, but the after filling in the input parameters an pressing send, there appears the authorisation error.
  For better illustration I made some screenshots for you:
  1) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_OVERVIEW.gif
  2) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_TEST_INPUT_FORM.gif
  3) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_TEST_reqest_response.gif
  What can be wrong, if the error "n0:FailedAuthentication" appears?
  Regards,
  Peter
  Message was edited by: Hans-Peter Bauer

• Authority check failed in FT2

  I have tried to implement the PO create example as descriped in the document "Consuming Service Operations using SAP NetWeaver Studio". When I run the example I cannot create an order. I get the error "Authority check failed" when I try to run the example. I have entered the correct password, because, if the password is wrong I get a  (401) Unauthorized from the server.
  I have also tried to make a Webdynpro application which used the same service, with the same result.
  I have also tried with a collages user, which gave the same error.
  In the webgui for the FT2 system, it seems like the user does not have access to the PO create transaction (ME21).

  Hi,
  Which WAS should it be the I configured. The ESA or our own?
  I have configured our own WAS as described in the tutorial. Here I tried to set up the username and password and I was able to send the request.
  But I'm just accessing the test system and it is there I get the error.

• Protocol of failed authority check - analogue to SU53

  Hello
  I'm looking for way to retrieve the last failed authority check when a user interacts with a WDA application. Transaction SU53 seems not to protocol such failed authority checks when executed in WDA runtime.
  Thanks,
  Mathias

  s

• Help reg  authority-check

  Hi all,
  can anyone explain what this statement does.
  authority-check object 'Z_Abc_def'
    id 'ZAbc_defI' field '*'.
  Thanks in advance

  Check the sap provided help:
  here is an excerpt:
  AUTHORITY-CHECK
  Basic form
  AUTHORITY-CHECK OBJECT object
      ID name1  FIELD f1
      ID name2  FIELD f2
      ID name10 FIELD f10.
  Effect
  Explanation of IDs:
  object
  Field which contains the name of the object for which the authorization is to be checked.
  name1 ...
  Fields which contain the names of the
  name10
  authorization fields defined in the object.
  f1 ...
  Fields which contain the values for which the
  f10
  authorization is to be checked.
  AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).
  You must specify all authorizations for an object and a also a value for each ID (or DUMMY).
  The system checks the values for the IDs by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.
  If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.
  If the return code value in SY-SUBRC is 0, the user has the required authorization and may continue.
  The return code value changes according to the different error scenarios. The return code values have the following meaning:
  4
  User has no authorization in the SAP System for such an action. If necessary, change the user master record.
  8
  Too many parameters (fields, values). Maximum allowed is 10.
  12
  Specified object not maintained in the user master record.
  16
  No profile entered in the user master record.
  24
  The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.
  28
  Incorrect structure for user master record.
  32
  Incorrect structure for user master record.
  36
  Incorrect structure for user master record.
  If the return code value is 8 or 24, inform the person responsible for the program. If the return code value is 4, 12, 16 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP because authorizations have probably been destroyed.
  Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.
  Note
  Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check is performed for the field concerned.
  The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.
  Example
  Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:
  Table OBJ: Definition of authorization object
  M_EINF_WRK
     ACTVT
     WERKS
  Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations
  M_EINF_WRK_BERECH1
     ACTVT 01-03
     WERKS 0001-0003 .
  can display and change plants within the Purchasing and Materials Management areas.
  Such a user would thus pass the checks
  AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
      ID 'WERKS' FIELD '0002'
      ID 'ACTVT' FIELD '02'.
  AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
      ID 'WERKS' DUMMY
      ID 'ACTVT' FIELD '01':
  but would fail the check
  AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
      ID 'WERKS' FIELD '0005'
      ID 'ACTVT' FIELD '04'.
  To suppress unnecessary authorization checks or to carry out checks before the user has entered all the values, use DUMMY - as in this example. You can confirm the authorization later with another AUTHORITY-CHECK.
  Regards,
  ravi

• Reg:Authority Check object

  Dear All,
  I am calling two authority check object M_MATE_MAR  and M_MSEG_BMB in my report.
  Now for a user if i see the Role the second object  M_MSEG_BMB is maintained and the object M_MATE_MAR is not maintained.
  Now in my program for the object M_MATE_MAR(as it is not maintained),my sy-subrc is returning 12,hence check faing and for
  M_MSEG_BMB sy-subrc = 4 as check is failng.
  My requirement is the user should not see some movement types irrespective of the material ,
  If i pass a material in the selection screen report , movement type records are deleting fine along with that others are alos deleting becs of sy-subrc <> 0(sy-subrc = 12).so i get a blank report as output.
  so wht should be done in my case.
  Regards

  Hi Rajendra,
  When you hit F1 on the Authority-check,
  If Sy-subrc = 4, Authorization check not successful. One or several authorizations were indeed found for the authorization object in the user master record and they include the value sets, but not the values specified, or incorrect or too many authorization fields were specified.
  If Sy-subrc = 12, No authorization was found for the authorization object in the user master record.
  When Sy-subrc = 24, Incorrect authorization fields or an incorrect number of authorization fields was found. This return value is no longer set since Release 6.20. Up to Release 4.6 it is set only if the profile parameter "auth/new_buffering" has a value less than 3.
  When sy-subrc = 40, An invalid user ID has been entered in user.
  Hope it helps.
  Sujay

• Reg authority check

  Hi Everybody ,
  Can anyone send me the PPT for authority check .
  My mail id is [email protected]
  Regards ,
  Senthil .

  Hi,
  You can check in the below SAP link, this is having the Screen shots also ..
  http://help.sap.com/saphelp_46c/helpdata/en/5c/deaa74d3d411d3970a0000e82de14a/content.htm
  http://www.sapdevelopment.co.uk/security/authority/authhome.htm
  Regards
  Sudheer

• Java ME 8 Permission check failed when opening a serial port

  I have a larger Jave ME8.1 application that was going well until I tried to add one last piece, reading and writing data from a serial port. This was left to last because it is trivial, at least in most programming languages. The is IDE NetBeans 8.0.2 running on a Windows 7 PC. The platform is a Raspberry Pi B or B+ (I have tried both) with the most current Raspbian (12/24/2014 I believe). To simplify the process I created a new app with just the open and close code and this generates the same error I am experiencing in the larger application. The program is as follows:
  package javamecomapp;
  import java.io.IOException;
  import java.io.InputStream;
  import java.io.OutputStream;
  import java.util.logging.Level;
  import java.util.logging.Logger;
  import javax.microedition.io.CommConnection;
  import javax.microedition.io.Connector;
  import javax.microedition.midlet.MIDlet;
  * @author ****
  public class JavaMEcomApp extends MIDlet {
      static int BAUD_RATE = 38400;
      static String SERIAL_DEVICE = "ttyAMA0";
      static CommConnection commConnection = null;
      static OutputStream os = null;
      static InputStream is = null;
      static String connectorString;
      private int rtnValue = -1;
      @Override
      public void startApp() {
          java.lang.System.out.println("Opening comm port.");
          try {
              rtnValue = JavaMEcomApp.openComm();
          } catch (IOException ex) {
              Logger.getLogger(JavaMEcomApp.class.getName()).log(Level.SEVERE, null, ex);
      @Override
      public void destroyApp(boolean unconditional) {
          java.lang.System.out.println("Closing comm port.");
          try {
              rtnValue = JavaMEcomApp.closeComm();
          } catch (IOException ex) {
              Logger.getLogger(JavaMEcomApp.class.getName()).log(Level.SEVERE, null, ex);
          private static int openComm()throws IOException {
              java.lang.System.out.println("Opening comm port.");
              connectorString = "comm:" + SERIAL_DEVICE + ";baudrate=" + BAUD_RATE;
              commConnection = (CommConnection)Connector.open(connectorString);
              is  = commConnection.openInputStream();
              os = commConnection.openOutputStream();
          return 0;
      private static int closeComm()throws IOException {
          java.lang.System.out.println("Closing comm port.");
              is.close();
              os.close();
              commConnection.close();
          return 0;
  If I comment out the JavaMEcomApp.openComm and closeComm lines it runs fine. When they are included, the following error is dumped to the Raspberry Pi terminal:
  Opening comm port.
  Opening comm port.
  [CRITICAL] [SECURITY] iso=2:Permission check failed: javax.microedition.io.CommProtocolPermission "comm:ttyAMA0;baudrate=38400" ""
  TRACE: <at java.security.AccessControlException: >, startApp threw an Exception
  java.security.AccessControlException:
  - com/oracle/meep/security/AccessControllerInternal.checkPermission(), bci=118
  - java/security/AccessController.checkPermission(), bci=1
  - com/sun/midp/io/j2me/comm/Protocol.checkForPermission(), bci=16
  - com/sun/midp/io/j2me/comm/Protocol.openPrim(), bci=31
  - javax/microedition/io/Connector.open(), bci=77
  - javax/microedition/io/Connector.open(), bci=6
  - javax/microedition/io/Connector.open(), bci=3
  - javamecomapp/JavaMEcomApp.openComm(), bci=46
  - javamecomapp/JavaMEcomApp.startApp(), bci=9
  - javax/microedition/midlet/MIDletTunnelImpl.callStartApp(), bci=1
  - com/sun/midp/midlet/MIDletPeer.startApp(), bci=5
  - com/sun/midp/midlet/MIDletStateHandler.startSuite(), bci=246
  - com/sun/midp/main/AbstractMIDletSuiteLoader.startSuite(), bci=38
  - com/sun/midp/main/CldcMIDletSuiteLoader.startSuite(), bci=5
  - com/sun/midp/main/AbstractMIDletSuiteLoader.runMIDletSuite(), bci=130
  - com/sun/midp/main/AppIsolateMIDletSuiteLoader.main(), bci=26
  java.security.AccessControlException:
  - com/oracle/meep/security/AccessControllerInternal.checkPermission(), bci=118
  - java/security/AccessController.checkPermission(), bci=1
  - com/sun/midp/io/j2me/comm/Protocol.checkForPermission(), bci=16
  - com/sun/midp/io/j2me/comm/Protocol.openPrim(), bci=31
  - javax/microedition/io/Connector.open(), bci=77
  - javax/microedition/io/Connector.open(), bci=6
  - javax/microedition/io/Connector.open(), bci=3
  - javamecomapp/JavaMEcomApp.openComm(), bci=46
  - javamecomapp/JavaMEcomApp.startApp(), bci=9
  - javax/microedition/midlet/MIDletTunnelImpl.callStartApp(), bci=1
  - com/sun/midp/midlet/MIDletPeer.startApp(), bci=5
  - com/sun/midp/midlet/MIDletStateHandler.startSuite(), bci=246
  - com/sun/midp/main/AbstractMIDletSuiteLoader.startSuite(), bci=38
  - com/sun/midp/main/CldcMIDletSuiteLoader.startSuite(), bci=5
  - com/sun/midp/main/AbstractMIDletSuiteLoader.runMIDletSuite(), bci=130
  - com/sun/midp/main/AppIsolateMIDletSuiteLoader.main(), bci=26
  Closing comm port.
  Closing comm port.
  TRACE: <at java.lang.NullPointerException>, destroyApp threw an Exception
  java.lang.NullPointerException
  - javamecomapp/JavaMEcomApp.closeComm(), bci=11
  - javamecomapp/JavaMEcomApp.destroyApp(), bci=9
  - javax/microedition/midlet/MIDletTunnelImpl.callDestroyApp(), bci=2
  - com/sun/midp/midlet/MIDletPeer.destroyApp(), bci=6
  - com/sun/midp/midlet/MIDletStateHandler.startSuite(), bci=376
  - com/sun/midp/main/AbstractMIDletSuiteLoader.startSuite(), bci=38
  - com/sun/midp/main/CldcMIDletSuiteLoader.startSuite(), bci=5
  - com/sun/midp/main/AbstractMIDletSuiteLoader.runMIDletSuite(), bci=130
  - com/sun/midp/main/AppIsolateMIDletSuiteLoader.main(), bci=26
  java.lang.NullPointerException
  - javamecomapp/JavaMEcomApp.closeComm(), bci=11
  - javamecomapp/JavaMEcomApp.destroyApp(), bci=9
  - javax/microedition/midlet/MIDletTunnelImpl.callDestroyApp(), bci=2
  - com/sun/midp/midlet/MIDletPeer.destroyApp(), bci=6
  - com/sun/midp/midlet/MIDletStateHandler.startSuite(), bci=376
  - com/sun/midp/main/AbstractMIDletSuiteLoader.startSuite(), bci=38
  - com/sun/midp/main/CldcMIDletSuiteLoader.startSuite(), bci=5
  - com/sun/midp/main/AbstractMIDletSuiteLoader.runMIDletSuite(), bci=130
  com/sun/midp/main/AppIsolateMIDletSuiteLoader.main(), bci=26
  I have tried this with three different serial ports, /dev/ttyAMA0 (yes I did disable the OS from using it), an arduino board /dev/ttyACM0, and a USB to RS485 adaptor /dev/ttyUSB0. All of these ports could be connected and use normally with both a C program and terminal program in the Pi. The API Permissions were set in the project properties / Application Descriptor / API Permissions to jdk.dio.DeviceMgmtPermission "/dev/ttyAMA0". This of course was changed as I tested different devices.
  I found a reference suggesting adding the line "authentication.provider = com.oracle.meep.security.NullAuthenticationProvider" to the end of the jwc_properties.ini file. This had no effect. I found references that during development in eclipse and NetBeans, the app is already elevated to the top level so this should not be an issue until deployment. This does not appear to be the case.
  I am out of time and need a solution quickly. Any suggestions are welcome.

  Terrence,
     Thank you for responding and confirming the issues I'm having with static addressing.  As far as the example above, I do have the standard LEDs working correctly, however, the example I'm referring to above is from the JavaME samples using the GPIO Port for the LEDS, according to the Device I/O Preconfigured List you referenced:
  GPIO Ports
  The following GPIO ports are preconfigured.
  Devicel ID
  Device Name
  Mapped
  Configuration
  8
  LEDS
  PTB22
  PTE26
  PTB21
  direction = 1 (Output only)
  initValue = 0
  GPIOPins:
  controllerNumber = 1
  pinNumber = 22
  mode = 4 (Push-pull mode)
  controllerNumber = 4
  pinNumber = 26
  mode = 4 (Push-pull mode)
  controllerNumber = 1
  pinNumber = 21
  mode = 4 (Push-pull mode)
  So is the assumption that using GPIOPort for accessing the GPIO port for Device ID 8 as listed in the Device I/O Preconfigured list not supported?

• EMC - Certificate status could not be determined because revocation check failed.

  I've exhausted my resources on this issue and am reaching out for some assistance. I have setup Server 2008 R2 Enterprise SP1, running Exchange 2010 SP1. In EMC I have successfully imported a GoDaddy SSL certificate. Although I am receiving the message -
  "The certificate status could not be determined because the revocation check failed."
  Here are the steps I've taken to troubleshoot this so far:
  [PS] C:\Users\Administrator\Desktop>netsh winhttp show proxy
  Current WinHTTP proxy settings:
  Direct access (no proxy server).
  As you can see, direct access. Which is true, no proxy's on this network.
  For good measure, I'll dump the urlcache.
  certutil -urlcache ocsp delete
  certutil -urlcache crl delete
  Both return 0, reboot server.
  Comes back up, same message in EMC.
  From PS, I test exactly what its getting from GoDaddy.
  [PS] C:\Users\Administrator\Desktop>certutil -f -urlfetch -verify mail.fluxlabs.net.crt
  Issuer:
  SERIALNUMBER=07969287
  CN=Go Daddy Secure Certification Authority
  OU=http://certificates.godaddy.com/repository
  O=GoDaddy.com, Inc.
  L=Scottsdale
  S=Arizona
  C=US
  Subject:
  CN=mail.fluxlabs.net
  OU=Domain Control Validated
  O=mail.fluxlabs.net
  Cert Serial Number: 27b60918638e0d
  dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
  dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
  dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
  dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
  dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
  ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
  HCCE_LOCAL_MACHINE
  CERT_CHAIN_POLICY_BASE
  -------- CERT_CHAIN_CONTEXT --------
  ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=S
  cottsdale, S=Arizona, C=US
  NotBefore: 8/20/2011 7:49 PM
  NotAfter: 8/20/2012 7:16 PM
  Subject: CN=mail.fluxlabs.net, OU=Domain Control Validated, O=mail.fluxlabs.net
  Serial: 27b60918638e0d
  SubjectAltName: DNS Name=mail.fluxlabs.net, DNS Name=www.mail.fluxlabs.net
  33 49 57 5d 6e d8 6b aa b9 61 73 95 44 07 c9 2e 55 6e 47 10
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ---------------- Certificate AIA ----------------
  Verified "Certificate (0)" Time: 4
  [0.0] http://certificates.godaddy.com/repository/gd_intermediate.crt
  ---------------- Certificate CDP ----------------
  Expired "Base CRL (05)" Time: 4
  [0.0] http://crl.godaddy.com/gds1-55.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  Expired "OCSP" Time: 4
  [0.0] http://ocsp.godaddy.com/
  CRL (null):
  Issuer: CN=Go Daddy Validation Authority, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
  e5 53 19 6c 54 87 8c 62 23 1b b9 11 e1 d8 3d 3f b2 04 77 3f
  Issuance[0] = 2.16.840.1.114413.1.7.23.1
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  NotBefore: 11/15/2006 8:54 PM
  NotAfter: 11/15/2026 8:54 PM
  Subject: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=
  Scottsdale, S=Arizona, C=US
  Serial: 0301
  7c 46 56 c3 06 1f 7f 4c 0d 67 b3 19 a8 55 f6 0e bc 11 fc 44
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  No URLs "None" Time: 0
  ---------------- Certificate CDP ----------------
  Verified "Base CRL" Time: 4
  [0.0] http://certificates.godaddy.com/repository/gdroot.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  Expired "OCSP" Time: 4
  [0.0] http://ocsp.godaddy.com
  CRL (null):
  Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  da 1e d5 63 5c 05 58 50 4e db d2 4e e8 9d 28 9d c4 36 b3 1e
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
  CertContext[0][2]: dwInfoStatus=109 dwErrorStatus=0
  Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  NotBefore: 6/29/2004 12:06 PM
  NotAfter: 6/29/2034 12:06 PM
  Subject: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  Serial: 00
  27 96 ba e6 3f 18 01 e2 77 26 1b a0 d7 77 70 02 8f 20 ee e4
  Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  No URLs "None" Time: 0
  ---------------- Certificate CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
  Exclude leaf cert:
  b1 04 4b 90 a1 d3 48 de 46 bd d7 50 20 e3 44 b8 3f 68 39 f7
  Full chain:
  68 36 4d 37 2e 96 bd d2 aa 77 3f d0 e8 78 a9 e6 68 bd 7d 71
  Verified Issuance Policies:
  2.16.840.1.114413.1.7.23.1
  Verified Application Policies:
  1.3.6.1.5.5.7.3.1 Server Authentication
  1.3.6.1.5.5.7.3.2 Client Authentication
  Cert is an End Entity certificate
  ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was
  offline. 0x80092013 (-2146885613)
  CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
  CertUtil: -verify command completed successfully.
  As you can see, the "revocation server is offline."
  So I run the same test from another server on the LAN.
  Verified Issuance Policies:
  2.16.840.1.114413.1.7.23.1
  Verified Application Policies:
  1.3.6.1.5.5.7.3.1 Server Authentication
  1.3.6.1.5.5.7.3.2 Client Authentication
  Cert is an End Entity certificate
  Leaf certificate revocation check passed
  CertUtil: -verify command completed successfully.
  It passes. The server's firewall has been disabled. DNS cache has been cleared. I have verified everything I can, and still failing to verify.

  [PS] C:\Users\Administrator\Desktop>Get-ExchangeCertificate |fl
  AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.Acces
  trol.CryptoKeyAccessRule}
  CertificateDomains : {mail.fluxlabs.net, www.mail.fluxlabs.net}
  HasPrivateKey : True
  IsSelfSigned : False
  Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy
  , Inc.", L=Scottsdale, S=Arizona, C=US
  NotAfter : 8/20/2012 7:16:57 PM
  NotBefore : 8/20/2011 7:49:30 PM
  PublicKeySize : 2048
  RootCAType : ThirdParty
  SerialNumber : 27B60918638E0D
  Services : IMAP, POP, IIS, SMTP
  Status : RevocationCheckFailure
  Subject : CN=mail.fluxlabs.net, OU=Domain Control Validated, O=mail.fluxlabs.net
  Thumbprint : 3349575D6ED86BAAB96173954407C92E556E4710
  [PS] C:\Users\Administrator\Desktop>Enable-ExchangeCertificate -Thumbprint 3349575D6ED86BAAB96173954407C92E556E4710 -Services POP,IMAP,SMTP,IIS
  The command has already been executed. Yes, I have seen those sites. Neither have worked. Like I said, it is directly connected; and no proxies are set.
  -- Jeremy MCSpadden Flux Labs

• AUTHORITY-CHECK & customized program

  Hi,
  I've applied an authority-check to my customized program. What I did was, I've created an authorization object name 'ZFI_PGRM' in SU21 and tie it with authorization fields BUKRS, ACTVT. This authority-check will validate on the company code (BUKRS) entered from the selection screen. Below are my lines in the customized program :
  DATA: text      TYPE string,
            m_text  TYPE string.
  text = 'You are not authorised for Company Code'.
  DATA: t_t001 LIKE t001 OCCURS 0 WITH HEADER LINE..
  SELECT * FROM t001
         INTO TABLE t_t001
               WHERE bukrs IN s_bukrs.
  LOOP AT t_t001.
    AUTHORITY-CHECK OBJECT 'ZFI_PGRM'
        ID 'BUKRS' FIELD t_t001-bukrs
        ID 'ACTVT' FIELD '03'.
    IF sy-subrc <> 0.
      CONCATENATE text t_t001-bukrs INTO m_text SEPARATED BY space.
    ENDIF.
  ENDLOOP.
  At the same time BASIS tie the autorization object 'ZFI_PGRM' to the user role in order to access the program using PFCG. The problem now is the result that I'm getting always SY-SUBRC = 12 eventhough the user is allowed to access the company's report. Please help...
  Haryati

  Run transaction SU53 after the auth check fails and maybe it will give you a clue as to what is going on.

• User role and Authority-check ?

  Hello,
  Could you please let me know how are the differences between User role and Authority-check. In a program I do not use Authority-check , And The user is not assigned to user role which contain this transaction ( for this program), Can the user execute this transaction OR he must be assigned to user role which contain this transaction to execute it . Supposing that we do not use any Authority-check in then program.
  Thanks in advance

  Hello Martin,
  I think this answers the OP's question about user not being assigned the role which contains the trxn code. As you have explained in this case the default auth. check for S_TCODE will fail & user cannot execute the trxv. (If i remember correctly the tables for this are AGR_USERS & AGR_TCODES)
  Anyways just to add to the OP's query. Auth. objects are added to profiles which in turn assigned to roles. So if you implement the auth. object in your program the user must also subscribe to the role containing the auth. obj. profile to be able to execute it.
  @OP:
  The transactions PFCG & SUIM might interest you. Also the tables dealing with these stuffs begin with AGR*. You can check the tables for better understanding.
  BR,
  Suhas

• Analize authority checks in web dynpro processing

  Hi,
  I'm facing strange things here.
  A user was reported not to be able to successfully use a function provided in our system:
  We provide a function for use of our call center agents that will reprocess and output document and send it by mail to the customer. It looks as if it worked but the mail is not sent.
  I started SE80 with my own user and put some external breakpoints in the webdynpro code for the agents username. Then I started the webdynpro application by entering the URL into the browser and logging in with the agent's credentials.
  On my first try, the debugger started ehen the external breakpoint was reached. SY-UNAME was the agent's name but everything went fine.
  Obviously the authority checks where done for my own user although there was a different sy-uname.
  I logged off completely and started a second time. I used my owner user to set the external breakpoints because the agent's user has no rights for development, just restricted to a couple of roles.
  This time I got a rabax state error - the dump was caused because the agent's user does not have authority for debug. The rabax error shoed me the call hierarchy and pointed to the method where I set the external breakpoint.
  So, is the any way to come close to the code where authorization check fails?
  Or - which we could try: What are the roles/profiles for use of SAPOFFICE? (in SU53, we can see failed checks, but it looks strange as there are failed authority-checks for ...ADMIN - dont know exactly because now I', home and don't have remote access).
  Good ideas always welcome!
  Note: Nobody knows why this function is implemented in Webdynpro but we have to live with it and get it working for this group of agents.
  Regards
  Clemens

  Traditionally I would probably have used ST01 with the "Authorization check" option and general filters to log which authority checks are working / failing.
  But now I quite like using ST05 (SQL Trace) instead as drilldown to the code is available ... you can tick the "Buffer Trace" option and "Activate Trace with Filter" to log the other user's calls - this will then display lots of references to tables USOBX_C and USRBF2 - drilling to the code on these usually gives you the "authority-check object 'xyz' .." details.
  Jonathan

• ICF Connector Must Understand check failed

  We are building an ICF connetor, and need to send the user credential and timestamp using WS-Security. We have created a project in JDeveloper. And after deployed it and tested in OIM EM console, we got the error message: oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: Client received SOAP Fault from server : Must Understand check failed for headers.
  The options we have tried is adding a ws-security policy in composite.xml and adding username and password for binding properties and the protocol used is SOAP 1.2.

  Hi Delhi,
  I saw the note 1161907.1, but It applies for Child OU creation.
  In our case the pObjDN is incomplete.

• Authority Check on B_USERSTAT not working

  Hi Gurus,
  I have a simple question on authority check that I cant quite understand.
  Basis has created auth key : ZWP_CCS, where by user with the auth key can create,change, delete.
  so, in my code, I have implemented the following. However, it seems that all user, even though from different auth key can still pass thru. Is there something that I miss? Thanks.
      AUTHORITY-CHECK OBJECT 'B_USERSTAT'
               ID 'ACTVT' FIELD '02'
               ID 'BERSL' FIELD 'ZWP_CCS'
               ID 'STSMA' FIELD 'ZS_IRC'.
  Edited by: Julius Bussche on Jan 1, 2009 1:32 PM
  More meaningfull subject title added.

  Hi
  use without qoutes if it is a variable .
  AUTHORITY-CHECK OBJECT 'B_USERSTAT'
  ID 'ACTVT' FIELD '02'
  ID 'BERSL' FIELD ZWP_CCS
  ID 'STSMA' FIELD ZS_IRC.
  and
  if sy-subrc <> 0.
  message " error ".
  endif.
  reg
  Ramya
  Edited by: Ramya S on Dec 31, 2008 5:43 AM