SLD User gets locked; four unsuccessful logons every 15 minutes

I have a landscape with a PI with the SLD on it. I defined a user with the name SLDUSER and the appropriate authorizations. The PI is a Unicode system, like all systems in the landscape.
There were already some application servers (CRM, Banking Services, Composition Environment) connecting to this SLD and everything went fine.
Now I added another application server, an ERP, for FI-CAx (NW 7.02). As the business partners are distributed via XI through the PI system, the ERP needs to connect to the SLD, too.
I set it up as usual:
- sldapicust: host, port, SLDUSER, password. (What is weird is that there is no test button as in all the other systems ... maybe that depends on the installed EhPs.)
- This generated the destinations (type T = TCP/IP) SLD_UC and SLD_NUC automatically.
- I created destinations SAPSLDAPI and LCRSAPRFC manually in sm59, type T = TCP/IP, set them to Unicode, entered the same (two different) Registered Server Programs that are used in these destinations on all the other servers (CRM, PI, BaS).
- I ran rz70, entered the host and gateway, activated, executed the data collection.
SLDCHECK runs successfully on the ERP system!
The technical system for the BS1 showed up in the SLD as expected.
- I configured the clients / business systems on the SLD.
Now begins the problem. The SLDUSER is now getting locked all the time! It's definitely the ERP system causing it - when I prevent it from accessing the PI (by changing the hosts file on the operating system), the problem stops.
I activated everything critical related to logons and RFCs in sm19 and looked at the logs in sm20. This is what it looks like:
17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Password check failed for user SLDUSER in client 001
17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 1, Type = U)
17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Password check failed for user SLDUSER in client 001
17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 1, Type = U)
17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Password check failed for user SLDUSER in client 001
17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 1, Type = U)
17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Password check failed for user SLDUSER in client 001
17.08.2011     19:40:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 1, Type = U)
17.08.2011     19:55:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Password check failed for user SLDUSER in client 001
17.08.2011     19:55:04     BNK_RFC     ilbnkpi1          SAPMSSY1     User SLDUSER Locked in Client 001 After Erroneous Password Checks
17.08.2011     19:55:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 1, Type = U)
17.08.2011     19:55:04     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 53, Type = U)
17.08.2011     19:55:05     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 53, Type = U)
17.08.2011     19:55:05     BNK_RFC     ilbnkpi1          SAPMSSY1     Logon Failed (Reason = 53, Type = U)
And it goes on like this. So what happens is this: Every 15 minutes, at :10, :25, :40, :55, there are four unsuccessful logons with SLDUSER. With the fifth logon it gets locked.
Again:
- This stops when I make the PI inaccessible to the ERP.
- SLDCHECK still works completely fine in ERP - until the SLDUSER is locked, of course; then it stops working in all connected systems. It does not result in unsuccessful logons on the PI.
- When I run rz70 on the ERP and run the data collection this also reports success and does not create unsuccessful logons on the PI.
- I have not used the SLDUSER in any other locations besides sldapicust.
So what the hell is wrong with this system?!

I have created a separate user SLDUSER_ER1 just for use in the sldapicust in the new ERP system that causes the problem. Still SLDUSER is getting locked (not SLDUSER_ER1)!
I powered down this ERP system ER1, just to make absolutely sure it is causing the problem - indeed the unsuccessful logon attempts every 15 minutes stopped right away.
As a workaround and for narrowing down the problem I have created separate users SLDUSER_CR1 etc. for each of the other systems in the landscape (CRM and so on) - indeed those do not get any unsuccessful logon attempts.
I have deleted all four SLD-related destinations in ER1 and recreated them from scratch (SLD_NUC and SLD_UC being generated when running rz70). I also used the "delete all batch jobs" button in rz70.
Still, SLDUSER is getting locked.
I checked on the PI system in C:\usr\sap\PI1\DVEBMGS00\j2ee\cluster\server0\log\system\httpaccess\responses_00.0.trc and see it is indeed the IP of the ERP system that gets the error 401 exactly at the times when the unsuccessful logon attempts occur:
[Oct 2, 2011 2:46:06 PM   ] - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 [140]
[Oct 2, 2011 2:46:06 PM   ] - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 [79]
[Oct 2, 2011 2:46:06 PM   ] - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 [62]
[Oct 2, 2011 2:46:06 PM   ] - 10.26.83.234 : POST /sld/cimom HTTP/1.1 401 1499 [47]
As the ERP has no Java instance and the sldapicust does not contain the SLDUSER (but the new SLDUSER_ER1) it is a mystery to me what it is that is still running every 15 minutes in the ERP and tries to use SLDUSER.
I went through the entries in SECSTORE and could not find any use of SLDUSER (only of SLDUSER_ER1, as it should be).
Edited by: Monika Eggers on Oct 2, 2011 3:08 PM

Similar Messages

  • User gets locked in lesser attempts than security policy setting

    Hi
    I have written my customized login code to login a user to the
    portal and I user the following code:
    IUser myUser = UMFactory.getUserFactory().getUserByLogonAlias(username, null);
    IUserAccountFactory accountFactory = UMFactory.getUserAccountFactory();
    IUserAccount account = accountFactory.getUserAccountByLogonId(myUser.getUniqueName());
    ILogonAuthentication ILA = UMFactory.getLogonAuthenticator();
    req.setAttribute(JUSER,myUser.getUniqueName());
    req.setAttribute(JPASSWORD,password);
    ILA.logon(req,res,AUTHSCHDEFAULT);     
    I notice that whenever I try to logon using my code with a
    wrong password, the user gets locked in 3 attemps even though the security policy
    (at ABAP and in Portal UME Configuration) setting for number of failed attempts is set to 5.
    (Although, please note that my code works fine logging the
    user into the portal when he enters the correct password)
    I try to check if the same thing happens with the standard logon module - com.sap.portals.runtime.logon,
    and notice that it locks correctly after 5 attempts.
    Would I have to add anything else in my code to make it work
    correctly?
    Thanks
    oj

    Hi All
    I tried to check in the CUA table the incorrect logon attempts value, and noticed that for every time I login (using my above code) with the wrong password, it increments the count by 2!! And that's the reason it gets locked out by the third time.
    What am I doing wrong?
    Thanks
    OJ

  • User gets locked by an external system but which one?

    Hi,
    In an abap system, we have changed the password of our administration user. Afterwards, this user gets locked every 5 minutes, obviously because the user and old password has been used to set up communication from another system to the abap system. An RFC connection for instance or whatever. Sure it is possible to check all the systems you can think of to see if the user has been used for such a purpose. But how can you see in the system itself where the call comes from that locks it? I have tried the gateway tracefile but without success. Any suggestions?
    Regards,
    GK

    Hello,
    I would try transaction STAD.
    There you should find entries of type RFC with your user.
    If you double-click on the line, you get the details. Click on the RFC button.
                                  as Client             as Server
    No. of targets                   0                     1
    Click on the highlighted 1 under "as server".
    You should get the needed info : the remote destination
    Target         TEST_DEV
    User ID        TESTOC
    RFC Caller     OCHRETIE
    Local  destin. bt1suk17v1_DEV_02                IP address xx.xx.xx.xx
    Remote destin. bt1suk16v1_DXI_68                IP address yy.yy.yy.yy
    Hope this helps
    Olivier

  • SAP BW User getting locked by BO RFC calls

    Hi,
    we are encountering a problem with BO RFC calls locking SAP BW users that recently changed their password in BW.
    Description of the problem in the ticket we raised at the SAP support:
    SAP BO 4.1 SP2 Patch 4, linux installation
    Backend: SAP BW 7.01 EHP8
    BICS interface with SAP authentication
    One of our users gets locked again and again in SAP BW (P19). The cause is a RFC connection that the BusinessObjects server (P59) tries to establish. The user used SAP BO last Friday for the last time and had to change his password in P19 this Tuesday. We think that there is some
    process within SAP BO still trying to connect to SAP BW from time to time, using the old password. There is no open session visible for that user in the CMC. User is even getting locked when not in the office and during night time. RFC calls are established almost regualary every hour.
    We already had this behaviour in our test-system. Restarting the BO-Server solved it. However, this is not the solution we want to use
    in the productive environment. There has to be some way to kill the process that uses the old password on the BO server without restarting
    the whole server. We do not understand why BO would still try to connect to BW with the old password - this has to be some kind of a bug.
    Meanwhile the error disappeared for the first user (some days after it started, maybe the BO process ran into a timeout). However, other users started having the same behaviour after changing their password.
    Our basis team tried to check the log files for advanced information on the conversations between BO and BW, but did not find any hints on which BO process might try to establish the connections.
    The SAP support seems to be a little helpless at the moment...
    Has anyone had similar problems?
    Regards,
    Robert

    Hi again,
    additional information: after approximately one week after the error appeared for the first time BO stops trying to establish the rfc connection for this specific user. Almost as if the "old-password-BO-process" ran into a 1 week timeout or something like that.
    The problem is really strange. The SAP support is still not able to tell us how the gather the information they require.
    Regards,
    Robert

  • Impact of J2EE_ADMIN / Administrator user getting locked

    Hi,
    What is the impact of J2EE_ADMIN / Administrator user getting locked in abap / java engines?  Will it effect startup of java server processes or java applications?  What are the other implications?
    Thanks,
    Abdul

    Hi Abdul,
    if the J2EE_ADMIN or Administrator user is locked then
    1. you cannot login to Visual Admin unless you define some other user with same authorization.
    2. any Jco-RFC using this user won't work.
    3. if you don't have any other user, you will have to activate SAP* user to unlock this user.
    Thanks,
    Sandeep

  • Are you coming out with a fix to the constant hang problem with version 6? I get a 20 second hang every 15 minutes.

    Ever since version 6 was released I have been getting a very bad hang every 15 minutes or so regardless of what I am doing, so I cannot pinpoint the issue. I hope that your new update strategy doesn't create more issues like this that werent an issue with previous versions. I am a web designer and love how I have everything organized in Firefox, which I have favored for years but am getting frustrated and am starting to look at alternative browsers.

    Firefox may be doing some maintenance to some files.<br />
    Make sure that other cleanup or security software isn't preventing access to files in the Firefox Profile Folder
    *http://kb.mozillazine.org/Profile_folder_-_Firefox
    A possible cause is a problem with the file places.sqlite that stores the bookmarks and the history.
    *http://kb.mozillazine.org/Bookmarks_history_and_toolbar_buttons_not_working_-_Firefox
    Start Firefox in <u>[[Safe Mode]]</u> to check if one of the extensions is causing the problem (switch to the DEFAULT theme: Firefox (Tools) > Add-ons > Appearance/Themes).
    *Don't make any changes on the Safe mode start window.
    *https://support.mozilla.com/kb/Safe+Mode

  • J2EE_ADMIN user getting locked frequently

    Hi SAP Guru's,
    The user J2EE_ADMIN in our nw2004s system is getting locked frequently. We have changed the password of this user in ABAP via SU01 & in JAVA in the secure store via configtool. The server was re-booted after doing these changes. Still the user J2EE_ADMIN is getting locked frequently. Also in SM21, we have a log <b>"J2EE_ADMIN locked due to incorrect logon"</b> for this locking which mentions the user as SAPJSF (Communication user between ABAP & JAVA).
    Is there a possibility that SAPJSF is locking the user J2EE_ADMIN ?? how & why ??
    Any help on this will be highly appreciated.
    Thanks,
    Sanjeev.

    have you solve this issue? we have the same!
    every half hour (xx:51:00 and xx:29:00), the J2EE_ADMIN user is locked by user SAPJSF transaction KRNL from the local host (terminal).
    We have changed the pass in secure store in configtool to the pass we used in abap.
    In "Visual Administrator" "Cluster>Server>Services-->Security Provider" the user have a checked box at "No password change required"
    We searched for other places with a wrong pass (Jco Connections = no J2EE_ADMIN used, SLD = no J2EE_ADMIN used), but found nothing.
    need help pls.
    regards
    chris

  • APPS USER GETTING LOCK

    After changing password of APPS user, while accessing application, 'APPS' user is getting lock. Checked that 'password' of 'APPS_TO_APPS' and 'EDW_APPS_TO_WH' did not changed.
    Ran Autoconfig -still account is getting lock.

    Pl see if that APPS database account has a profile set. I believe ATG RUP4 add a profile to the APPS database account and after x number of unsuccessful logins, it locks the account, making the instance unusable. See ML Note 556761.1 that describes a related issue. If a profile is indeed set for the APPS account, pl remove it.
    HTH
    Srini

  • User getting Locked after 1 day

    Hi All,
    I am facing an issue...a particular user in our SAP ECC 5.0 system is getting locked after every one day, I checked the configuration in SU01 but everything seems to be fine there.
    Please help regarding this issue.
    Thanks in Advance
    Regards,
    Prashant.

    Dear Prashant,
    Have you activated user trace.If yes then monitor that user ID.It wont be possible that only 1 particular user is getting locked (correct me if I am wrong).There can be a possibility that somebody is deliberately entering wrong password for his ID any other terminal.
    If you have activated user trace then you can easily monitor that user ID and even the terminals from where his ID has been accessed.
    PS: I might be wrong,so please update me with the latest.
    Regards,
    Ashutosh

  • User getting locked while sending message sync via BPM. Please help

    Hi Experts,
       I have a sync - sync scenario where I am sending data synchronously from webservice to a sync RFC FM. I am using BPM and in BPM I have three steps
    1. Receive step - Opens Sync-Async Bridge
    2. Sync Send step
    3. Send step - Closes SYnc-Async bridge.
    This BPM solution is same as that give in the blog https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/1403 [original link is broken] [original link is broken] [original link is broken]
    When I test this scenario I am getting
    <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="1">
    <SAP:Category>XIServer</SAP:Category>
    <SAP:Code area="INTERNAL">PL_TIMEOUT</SAP:Code>
    <SAP:P1 />
    <SAP:P2 />
    <SAP:P3 />
    <SAP:P4 />
    <SAP:AdditionalText />
    <SAP:ApplicationFaultMessage namespace="" />
    <SAP:Stack>Timeout condition of pipeline reached</SAP:Stack>
    <SAP:Retry>N</SAP:Retry>
    </SAP:Error>
    When I check the "Status monitor for Sync/Async communication" via SXMB_MONI, I found that my message is listed there with BPE status = "Wait".
    On double clicking my message I found that there is an error " User is locked. Please notify the person responsible".
    Why is my BPE struck in "Wait" stage and user is locked?
    What am I doing wrong? Am I missing any settings in SOAP sender communication channel?
    Please help me in resolving this problem.
    Regards
    Gopal

    Hi,
    Few months ago we had also problems with "locked user" in XI, in our case XIAPPLUSER was sometimes (b)locked.
    Perhaps note:
    721548 Changing the passwords of the XI 3.0 service users
    will help you.
    We removed and entered the service users again, with the password in CAPITALS and language blank.
    After that our problem was solved, I hope yours too.
    Regards
    Jack

  • CUA SU10 issue with users getting locked

    I did some role change using SU10 on CUA central system for 200 users. 45 of the users got locked with global admin lock in the child system for which I made the role changes.  These user locks are shown in the child system change documents log as changes by the CUA RFC user. I have this problem everytime I use su10. Why does this happen?  What can I do about it? Thanks, KT

    Hi Todd,
    propably you have some inconsistencies in your landscape....
    the cause of such 'unwanted' effects is the fact that if you change a user in your CUA central system, the whole user information is picked, then edited with you changes and afterwards distributed to all child systems.
    So what I could imagine in your example is as follows:
    User has a global lock in central system already, the particular child system did not have that information (user is still unlocked there). Several causes are possible, for instance the lock idoc did not get processed, Child system was not available/connected to CUA when the lock had been set,......).
    At the next update of that user (assign a role), the lock information from the central system is pushed to that child.
    Why?
    Because the design is to assure data consistency between central and child system. Therefore all the user information from central system is pushed to child at any user change. (that is also why you will see in SCUL 3 idocs for each user change (also user and profile idocs are pushed, even if you have changed the role assignement only).
    So what you could check is, if that users got the lock flag (128) already in the past somewhen.
    b.rgds, Bernhard

  • How do I get itunes to stop loading every few minutes on my computer? I X out of it and it comes r ight back.

    How do I get itunes to stop loading every time I turn on my computer? I X out  of it and it comes right back. I have tried everything, even had a computer expert try, no luck. I tried uninstalling itunes and tried a new download, it came right back. Very annoying. Help!

    Hello all,
    I am not in front of my computer but I will try to be clearer::
    plug your iphone or iPad with the USB cable in the computer
    it launches iTunes or  you launch iTunes directly.
    in the left colum , in the middle your equipemnt appears
    click on it
    the middle space will change and you will see horizontal tabs named home, ??, app, music, and so on
    click on the first tab and check all the space:: at the end, if I remeber well there is a check mark for manual sync
    or it is on the secon tab where you choose to sync mail accounts, notes etc... at the end the checkmark "manual sync" should be checked hence itunes will not sync by itself but only if you ask for it
    Henri

  • "lock your computer" sound every few minutes

    My MacBook Air keeps playing the sound "Lock your computer" every few minutes. How do I disable this?

    solved

  • User get caught during Workspace logon

    Hi all!
    Even tough this issue is related to the Workspace topic I decided to place this request in the Workbench topic. Accurate topic would be: LCES Process Management.
    Has anyone experienced the following strange problem?
    Always when a user task has been escalated (e.g. re-assigning to a group) the according user will be "locked". Locked means: The user can't access the task queue anymore. He is getting caugth after logon (forever; only way out is to close the browser). The log file doesn't say anything.
    All other users can normally logon and access their queues.
    Stopping the escalated task (using LCES AdminUI) releases "the lock" on the user queue.
    Anyone any idea?
    Thanks,
    Nico

    Hi,
    Please check if you set domain name is different with the domain name that host offering the server. For example: There is a DNS SRV record _sipinternaltls._tcp.fabrikam.com with target server.contoso.com on port 5061.
    If this case, you can change the SRV record like this:
    _sipinternaltls._tcp.fabrikam.com with target sip.fabrikam.com on port 5061
    Then add a DNS A record for sip.fabrikam.com to IP of front end pool.
    For details, you can refer to this link:
    http://blogs.technet.com/b/jenstr/archive/2011/02/10/lync-cannot-verify-that-the-server-is-trusted-for-your-sign-in-address.aspx
    Kent Huang
    TechNet Community Support

  • How to make one user get locked to edit when another user is editing??

    Dear friends,
    In the webdynpro application option is given to controll the editability of the UI elements using edit button.When the same application is logged in by another user for ex: B , he should get a prompt saying user A is editing the page.
    How to implement this ??and what is the best approach for this please advice.
    Thanks in advance.

    The best way I could think of and what we implemented is:
    Creatin a DB Lock Object around data which you want to work upon.
    Requesting a lock when some one opens up a session for editing, if granted then go in edit mode else go in display\ read only mode with a message.
    Release lock after save.
    Regards
    Manas Dua

Maybe you are looking for