SAP BW User getting locked by BO RFC calls

Similar Messages

• Impact of J2EE_ADMIN / Administrator user getting locked

  Hi,
  What is the impact of J2EE_ADMIN / Administrator user getting locked in abap / java engines?  Will it effect startup of java server processes or java applications?  What are the other implications?
  Thanks,
  Abdul

  Hi Abdul,
  if the J2EE_ADMIN or Administrator user is locked then
  1. you cannot login to Visual Admin unless you define some other user with same authorization.
  2. any Jco-RFC using this user won't work.
  3. if you don't have any other user, you will have to activate SAP* user to unlock this user.
  Thanks,
  Sandeep

• User gets locked by an external system but which one?

  Hi,
  In an abap system, we have changed the password of our administration user. Afterwards, this user gets locked every 5 minutes, obviously because the user and old password has been used to set up communication from another system to the abap system. An RFC connection for instance or whatever. Sure it is possible to check all the systems you can think of to see if the user has been used for such a purpose. But how can you see in the system itself where the call comes from that locks it? I have tried the gateway tracefile but without success. Any suggestions?
  Regards,
  GK

  Hello,
  I would try transaction STAD.
  There you should find entries of type RFC with your user.
  If you double-click on the line, you get the details. Click on the RFC button.
                                as Client             as Server
  No. of targets                   0                     1
  Click on the highlighted 1 under "as server".
  You should get the needed info : the remote destination
  Target         TEST_DEV
  User ID        TESTOC
  RFC Caller     OCHRETIE
  Local  destin. bt1suk17v1_DEV_02                IP address xx.xx.xx.xx
  Remote destin. bt1suk16v1_DXI_68                IP address yy.yy.yy.yy
  Hope this helps
  Olivier

• User gets locked in lesser attempts than security policy setting

  Hi
  I have written my customized login code to login a user to the
  portal and I user the following code:
  IUser myUser = UMFactory.getUserFactory().getUserByLogonAlias(username, null);
  IUserAccountFactory accountFactory = UMFactory.getUserAccountFactory();
  IUserAccount account = accountFactory.getUserAccountByLogonId(myUser.getUniqueName());
  ILogonAuthentication ILA = UMFactory.getLogonAuthenticator();
  req.setAttribute(JUSER,myUser.getUniqueName());
  req.setAttribute(JPASSWORD,password);
  ILA.logon(req,res,AUTHSCHDEFAULT);     
  I notice that whenever I try to logon using my code with a
  wrong password, the user gets locked in 3 attemps even though the security policy
  (at ABAP and in Portal UME Configuration) setting for number of failed attempts is set to 5.
  (Although, please note that my code works fine logging the
  user into the portal when he enters the correct password)
  I try to check if the same thing happens with the standard logon module - com.sap.portals.runtime.logon,
  and notice that it locks correctly after 5 attempts.
  Would I have to add anything else in my code to make it work
  correctly?
  Thanks
  oj

  Hi All
  I tried to check in the CUA table the incorrect logon attempts value, and noticed that for every time I login (using my above code) with the wrong password, it increments the count by 2!! And that's the reason it gets locked out by the third time.
  What am I doing wrong?
  Thanks
  OJ

• User getting locked while sending message sync via BPM. Please help

  Hi Experts,
     I have a sync - sync scenario where I am sending data synchronously from webservice to a sync RFC FM. I am using BPM and in BPM I have three steps
  1. Receive step - Opens Sync-Async Bridge
  2. Sync Send step
  3. Send step - Closes SYnc-Async bridge.
  This BPM solution is same as that give in the blog https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/1403 [original link is broken] [original link is broken] [original link is broken]
  When I test this scenario I am getting
  <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="1">
  <SAP:Category>XIServer</SAP:Category>
  <SAP:Code area="INTERNAL">PL_TIMEOUT</SAP:Code>
  <SAP:P1 />
  <SAP:P2 />
  <SAP:P3 />
  <SAP:P4 />
  <SAP:AdditionalText />
  <SAP:ApplicationFaultMessage namespace="" />
  <SAP:Stack>Timeout condition of pipeline reached</SAP:Stack>
  <SAP:Retry>N</SAP:Retry>
  </SAP:Error>
  When I check the "Status monitor for Sync/Async communication" via SXMB_MONI, I found that my message is listed there with BPE status = "Wait".
  On double clicking my message I found that there is an error " User is locked. Please notify the person responsible".
  Why is my BPE struck in "Wait" stage and user is locked?
  What am I doing wrong? Am I missing any settings in SOAP sender communication channel?
  Please help me in resolving this problem.
  Regards
  Gopal

  Hi,
  Few months ago we had also problems with "locked user" in XI, in our case XIAPPLUSER was sometimes (b)locked.
  Perhaps note:
  721548 Changing the passwords of the XI 3.0 service users
  will help you.
  We removed and entered the service users again, with the password in CAPITALS and language blank.
  After that our problem was solved, I hope yours too.
  Regards
  Jack

• SLD User gets locked; four unsuccessful logons every 15 minutes

  I have a landscape with a PI with the SLD on it. I defined a user with the name SLDUSER and the appropriate authorizations. The PI is a Unicode system, like all systems in the landscape.
  There were already some application servers (CRM, Banking Services, Composition Environment) connecting to this SLD and everything went fine.
  Now I added another application server, an ERP, for FI-CAx (NW 7.02). As the business partners are distributed via XI through the PI system, the ERP needs to connect to the SLD, too.
  I set it up as usual:
  - sldapicust: host, port, SLDUSER, password. (What is weird is that there is no test button as in all the other systems ... maybe that depends on the installed EhPs.)
  - This generated the destinations (type T = TCP/IP) SLD_UC and SLD_NUC automatically.
  - I created destinations SAPSLDAPI and LCRSAPRFC manually in sm59, type T = TCP/IP, set them to Unicode, entered the same (two different) Registered Server Programs that are used in these destinations on all the other servers (CRM, PI, BaS).
  - I ran rz70, entered the host and gateway, activated, executed the data collection.
  SLDCHECK runs successfully on the ERP system!
  The technical system for the BS1 showed up in the SLD as expected.
  - I configured the clients / business systems on the SLD.
  Now begins the problem. The SLDUSER is now getting locked all the time! It's definitely the ERP system causing it - when I prevent it from accessing the PI (by changing the hosts file on the operating system), the problem stops.
  I activated everything critical related to logons and RFCs in sm19 and looked at the logs in sm20. This is what it looks like:
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Password check failed for user SLDUSER in client 001
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 1, Type = U)
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Password check failed for user SLDUSER in client 001
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 1, Type = U)
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Password check failed for user SLDUSER in client 001
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 1, Type = U)
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Password check failed for user SLDUSER in client 001
  17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 1, Type = U)
  17.08.2011     19:55:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Password check failed for user SLDUSER in client 001
  17.08.2011     19:55:04     BNK_RFC     ilbnkpi1          SAPMSSY1     User SLDUSER Locked in Client 001 After Erroneous Password Checks
  17.08.2011     19:55:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 1, Type = U)
  17.08.2011     19:55:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 53, Type = U)
  17.08.2011     19:55:05     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 53, Type = U)
  17.08.2011     19:55:05     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 53, Type = U)
  And it goes on like this. So what happens is this: Every 15 minutes, at :10, :25, :40, :55, there are four unsuccessful logons with SLDUSER. With the fifth logon it gets locked.
  Again:
  - This stops when I make the PI inaccessible to the ERP.
  - SLDCHECK still works completely fine in ERP - until the SLDUSER is locked, of course; then it stops working in all connected systems. It does not result in unsuccessful logons on the PI.
  - When I run rz70 on the ERP and run the data collection this also reports success and does not create unsuccessful logons on the PI.
  - I have not used the SLDUSER in any other locations besides sldapicust.
  So what the hell is wrong with this system?!

  I have created a separate user SLDUSER_ER1 just for use in the sldapicust in the new ERP system that causes the problem. Still SLDUSER is getting locked (not SLDUSER_ER1)!
  I powered down this ERP system ER1, just to make absolutely sure it is causing the problem - indeed the unsuccessful logon attempts every 15 minutes stopped right away.
  As a workaround and for narrowing down the problem I have created separate users SLDUSER_CR1 etc. for each of the other systems in the landscape (CRM and so on) - indeed those do not get any unsuccessful logon attempts.
  I have deleted all four SLD-related destinations in ER1 and recreated them from scratch (SLD_NUC and SLD_UC being generated when running rz70). I also used the "delete all batch jobs" button in rz70.
  Still, SLDUSER is getting locked.
  I checked on the PI system in C:\usr\sap\PI1\DVEBMGS00\j2ee\cluster\server0\log\system\httpaccess\responses_00.0.trc and see it is indeed the IP of the ERP system that gets the error 401 exactly at the times when the unsuccessful logon attempts occur:
  [Oct 2, 2011 2:46:06 PM   ] - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 [140]
  [Oct 2, 2011 2:46:06 PM   ] - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 [79]
  [Oct 2, 2011 2:46:06 PM   ] - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 [62]
  [Oct 2, 2011 2:46:06 PM   ] - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 [47]
  As the ERP has no Java instance and the sldapicust does not contain the SLDUSER (but the new SLDUSER_ER1) it is a mystery to me what it is that is still running every 15 minutes in the ERP and tries to use SLDUSER.
  I went through the entries in SECSTORE and could not find any use of SLDUSER (only of SLDUSER_ER1, as it should be).
  Edited by: Monika Eggers on Oct 2, 2011 3:08 PM

• CUA SU10 issue with users getting locked

  I did some role change using SU10 on CUA central system for 200 users. 45 of the users got locked with global admin lock in the child system for which I made the role changes.  These user locks are shown in the child system change documents log as changes by the CUA RFC user. I have this problem everytime I use su10. Why does this happen?  What can I do about it? Thanks, KT

  Hi Todd,
  propably you have some inconsistencies in your landscape....
  the cause of such 'unwanted' effects is the fact that if you change a user in your CUA central system, the whole user information is picked, then edited with you changes and afterwards distributed to all child systems.
  So what I could imagine in your example is as follows:
  User has a global lock in central system already, the particular child system did not have that information (user is still unlocked there). Several causes are possible, for instance the lock idoc did not get processed, Child system was not available/connected to CUA when the lock had been set,......).
  At the next update of that user (assign a role), the lock information from the central system is pushed to that child.
  Why?
  Because the design is to assure data consistency between central and child system. Therefore all the user information from central system is pushed to child at any user change. (that is also why you will see in SCUL 3 idocs for each user change (also user and profile idocs are pushed, even if you have changed the role assignement only).
  So what you could check is, if that users got the lock flag (128) already in the past somewhen.
  b.rgds, Bernhard

• J2EE_ADMIN user getting locked frequently

  Hi SAP Guru's,
  The user J2EE_ADMIN in our nw2004s system is getting locked frequently. We have changed the password of this user in ABAP via SU01 & in JAVA in the secure store via configtool. The server was re-booted after doing these changes. Still the user J2EE_ADMIN is getting locked frequently. Also in SM21, we have a log <b>"J2EE_ADMIN locked due to incorrect logon"</b> for this locking which mentions the user as SAPJSF (Communication user between ABAP & JAVA).
  Is there a possibility that SAPJSF is locking the user J2EE_ADMIN ?? how & why ??
  Any help on this will be highly appreciated.
  Thanks,
  Sanjeev.

  have you solve this issue? we have the same!
  every half hour (xx:51:00 and xx:29:00), the J2EE_ADMIN user is locked by user SAPJSF transaction KRNL from the local host (terminal).
  We have changed the pass in secure store in configtool to the pass we used in abap.
  In "Visual Administrator" "Cluster>Server>Services-->Security Provider" the user have a checked box at "No password change required"
  We searched for other places with a wrong pass (Jco Connections = no J2EE_ADMIN used, SLD = no J2EE_ADMIN used), but found nothing.
  need help pls.
  regards
  chris

• User getting Locked after 1 day

  Hi All,
  I am facing an issue...a particular user in our SAP ECC 5.0 system is getting locked after every one day, I checked the configuration in SU01 but everything seems to be fine there.
  Please help regarding this issue.
  Thanks in Advance
  Regards,
  Prashant.

  Dear Prashant,
  Have you activated user trace.If yes then monitor that user ID.It wont be possible that only 1 particular user is getting locked (correct me if I am wrong).There can be a possibility that somebody is deliberately entering wrong password for his ID any other terminal.
  If you have activated user trace then you can easily monitor that user ID and even the terminals from where his ID has been accessed.
  PS: I might be wrong,so please update me with the latest.
  Regards,
  Ashutosh

• APPS USER GETTING LOCK

  After changing password of APPS user, while accessing application, 'APPS' user is getting lock. Checked that 'password' of 'APPS_TO_APPS' and 'EDW_APPS_TO_WH' did not changed.
  Ran Autoconfig -still account is getting lock.

  Pl see if that APPS database account has a profile set. I believe ATG RUP4 add a profile to the APPS database account and after x number of unsuccessful logins, it locks the account, making the instance unusable. See ML Note 556761.1 that describes a related issue. If a profile is indeed set for the APPS account, pl remove it.
  HTH
  Srini

• Error in starting SAP GUI as part of an Java RFC call from a PC

  Hi,
  We are on the 4.6C version of SAP and have the latest basis kernel patches that allow an RFC connection to start the SAP GUI. The program that I am running externally is java using the 3.0.1 JCo. The OS of the PC I am using is Windows XP. The SAPGUI version is 7.10 patch level 11.
  The program seems to be working properly as the command prompt window goes grey as if there is another window being opened but then I get back this error message and I do not see the GUI.
  The message I am getting back is:
  Exception in thread "main" com.sap.conn.jco.JCoException:(136) JCO_ERROR_ILLEGAL_STATE:Launching SAP GUI failed, though it was requested(error message:Communication with SAPGUI timed out)
  at com.sap.conn.jco.rt.MiddlewareJavaRfc$JavaRfcClient.startSAPGui(MiddlewareJavaRfc.java:1853)
  at com.sap.conn.jco.rt.MiddlewareJavaRfc$JavaRfcClient.connect(MiddlewareJavaRfc.java:1285)
  at com.sap.conn.jco.rt.ClientConnection.connect(ClientConnection.java:661)
  at com.sap.conn.jco.rt.PoolingFactory.init(PoolingFactory.java:103)
  at com.sap.conn.jco.rt.ConnectionManager.createFactory(ConnectionManager.java:171)
  at com.sap.conn.jco.rt.DefaultConnectionManager.createFactory(DefaultConnectionManager.java:44)
  at com.sap.conn.jco.rt.ConnectionManager.getFactory(ConnectionManager.java:160)
  at com.sap.conn.jco.rt.RfcDestination.initializ(RfcDestination.java:766)
  at com.sap.conn.jco.rt.RfcDestination.getSystemID(RfcDestination.java:794)
  at com.sap.conn.jco.rt.RepositoryManager.getRepository(RepositoryManager.java:32)
  at com.sap.conn.jco.rt.RfcDestination.getRepository(RfcDestination.java:865)
  at GISToSAPWO_Test.get_wo_call(GISToSAPWo.java:91)
  at GISToSAPWO_Test.main(GISToSAPWO_Test.java:206)
  I have been all over trying to find the solution to this and have come up empty. Any help will be greatly appreciated. If this is the wrong forum for this please let me know and I will re-post.
  Thank you in advance for any information you can pass on about the issue,
  Mark

  Hi Greetson,
  Thank you in advance for your response. It is greatly appreciated.
  1) In a way yes. I am using the connection setting USE_SAPGUI = 1. This is suppose to start the GUI prior to starting the RFC's program run. If this is not correct please let me know.
  2) The code is part of the JCo and the RFC library from what I have read. If this is not correct please let me know.
  3) I am only testing from my PC at this moment. I have re-installed my SAP GUI and am now at patch level 13 on 7.10.
  4) The application passes in the connection information which includes username and password along with the parameters for the RFC call. I would like the SAP GUI to open without the user having to re-enter his/her username and password. I thought that once the RFC is called using the dialog users credentials that the GUI would then open using the connection. I have used the java pooled connection method and it still does not open the GUI.
  5) The purpose is to pass Equipment objects, Functional Location objects and Leak Id objects to an RFC to open a list screen from IW39, List Maintenance Order transaction, for display of each at one pass, as well as open Excel with data from classification for the Leak Id's.
  Hope this sheds some light on the problem I am having. Please let me know if more information is needed.
  Best regards,
  Mark

• Locking objects across RFC calls

  Hi All,
  I am developing a business application using SAP UI5 and the NetWeaver Service Gateway in an embedded scenario. I have RFCs build for the backend interaction. As per my knowledge, each RFC is considered as a separate transaction and the user is logged on and off as the RFC is processed. This removes the lock on the object that I need to be sustained till the next RFC call. Unlocking the object exposes it to possible editing by other users which is not desirable.
  From what I have studied from this community, there are, by and large, two solutions
  1. Custom Lock Table
  2. Checking if the status of the object  is the same during the second RFC call, and going ahead only if it was unchanged.
  However, I am looking for more credible solution to this problem and would like to know how someone who experienced this issue have handled it.
  Thanks in advance,
  Neelesh

  Hi Jacob
  S_RFC and S_SERVICE This two authorization is nedded while calling RFC module from R3.
  first of all test the module in R3. create a role using PFCG assign the tcode. su53 (authorization check) and also assign the S_RFC and S_SERVICE to role.
  now test the RFC function module with this role in R3.
  if u give any warning/error due to authorization. imediate run tcode su53 in same session or new session
  i.e /nsu53 or /osu53.
  look which authorization is missing for a object.
  assign the relevant object and authorization to role.
  any query revert back.
  regards,
  kaushal

• Get SSO Ticket from RFC call

  Hi,
  i want to connect  to a SAP Portal Webservice with a widget, after i used the SAP Widget Foundation to execute some RFC calls.
  I wonder if there is a possiblitity to get the mysapsoo2 ticket from the SAP RFC response, which i can use than for connecting to the portal.
  Thank you very much for your help!
  Best regards
  Jochen

  Hi Jochen,
  Are you wanting to make the service call directly from the Widget? Can you use the foundation for the service call and reuse the credentials from there?
  Regards
  John

• How to make one user get locked to edit when another user is editing??

  Dear friends,
  In the webdynpro application option is given to controll the editability of the UI elements using edit button.When the same application is logged in by another user for ex: B , he should get a prompt saying user A is editing the page.
  How to implement this ??and what is the best approach for this please advice.
  Thanks in advance.

  The best way I could think of and what we implemented is:
  Creatin a DB Lock Object around data which you want to work upon.
  Requesting a lock when some one opens up a session for editing, if granted then go in edit mode else go in display\ read only mode with a message.
  Release lock after save.
  Regards
  Manas Dua

• Storage Unit number in SAP is showing on SAP but user getting invalid trans

  Regarding the Storage unit TS0C230037 issue.
  Checked storage unit TS0C230037 in the transaction LS33 & Table LEIN. This storage unit doesn't exists in Transaction data as well as table entry level 
  Currently I couldn't even see the storage unit in system.
  Note: I could see this Storage unit TS0C230037 in LX03 Transaction code. But when I double click on the storage unit it says Storage unit TS0C230037 cannot be displayed.
  Customer want move the available 4 Qty stock from that storage unit to other storage unit.
  Kindly advise.

  Awesome, gr8.
  Thank you Kiran.
  But, not sure ,
  1)  How did you figure it out that this (just 4 fields) is bcz of UI Guideline app param?
  2) If so, how do you know GL11 will fix it?
  3) how do you know we are having GL20 in place, bcz in the below sap help link sap said GL11 is the default?
  4) In which component SAP hard coded as 4?
  5) Pls. let us know what are other params we need to check/test for our custom app?
  Application Parameters and URL Parameters -  Web Dynpro ABAP - SAP Library
  Thank you