SSO and Principal Propagation in SUP

Similar Messages

• Hard to understand 'header mapping' and 'principal propagation'  in soap

  when i use soap adapter i meet two interesting field, 'header mapping' and 'principal propagation '
  so does any one of you may tell me
  what does it mean by header mapping in receiver agreement?
  what does it mean by principal propagation properies in sender agreement ?
  Thanks a lot!!!
  Jeff

  Hi,
  Please, familiarize yourself with this doc: [How To … Use the J2EE SOAP Adapter|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/40611dd6-e66e-2910-f383-e80fb44f9cd4]. Especially, the chapter 4.4.
  Regards,
  Jakub

• Error while configuring Principal Propagation

  Hi,
  I am trying to configure Principal Propagation for a Proxy -> PI -> RFC, sync scenario. I am working on PI 7.1 SP6 and when i am trying to configure the "Configuration Adapter" in JAVA stack i am not able to find the following config. properties:
  1.) login.ticket_keyalias = SAPLogonTicketKeypair.
  2.) login.ticket_keystore = TicketKeystore.
  I have checked in both NWA of PI 7.1 as well as the basis guys have checked the config. tool of the local server.
  Rest all the configuration have been done but i am getting the following error in the response message of the moni -
  "  com.sap.engine.interfaces.messaging.api.exception.MessagingException: com.sap.aii.adapter.rfc.afcommunication.RfcAFWException: error while processing message to remote system:com.sap.aii.adapter.rfc.core.client.RfcClientException: could not get a client from JCO.Pool: com.sap.mw.jco.JCO$Exception: (103) RFC_ERROR_LOGON_FAILURE: Issuer of SSO ticket is not authorized "
  Please help.
  Thanks!!!

  Hi,
  Plz check below parameters at R/3 side and set value as mentioned below.
  login/accept_sso2_ticket=1
  login/create_sso2_ticket=2
  then test Jco's.

• Principal Propagation Issue

  Hi,
  We are using PI 7.1 and have a SOAP - XI - ECC(RFC) scenario where we need to use Principal Propagation in order to send the user parameters who has invoked the webservice (using SOAP Adapter) on XI and the same user needs to be propagated to ECC system via RFC call.
  We did all the settings as per the guidelines setup in P.P guide. The issue here is once we enable Single Signon (P.P) on our XI server the local service user created in XI, which is given to Source system for invoking WS on XI stops working.
  In other words we have some other systems also which are sending webservice request to XI but with local service userid/pwd we have provided to them as they do not support Single Sign On. This stops working once we enable Single Sign On in XI. Does it mean at one time only one thing will work, either Service user/pwd or Single sign on user?
  Is there any alternate way of achieving the same? Has anyone used P.P feature? It does not seem to be working at Adapter Level.
  Thanks
  amit

  Dear Amit,
  Either of the one will work either SSO user or Service user . You cant have both working simultaneously. Because your SSO user is nothing but where one system logs on to another system using the user & pwd maintained on host system.
  The way out is to separate SSO user and Service users.
  Also refer https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/bc72b890-0201-0010-3a8d-e31e3e266893
  Rgds
  joel
  Edited by: joel trinidade on Mar 4, 2009 10:30 AM

• Principal Propagation SOAP-PI-RFC not working

  Hi experts,
  I have designed on PI 7.0 SP16 a SOAP->PI->RFC scenario enabling the call of
  RFC_READ_TABLE (from ECC) through a webservice. For tests purpose, I have deployed WSDL file on IIS server and I call it from SAP Web Services Navigator. Tests are OK if we do not activate principal propagation on sender and receiver agreements.
  But we need to activate it in order to manage authorizations for people calling the webservice.
  So, I have followed all the required steps described in OSS note 974873.
  In addition, on PI Java Visual Administrator, I added CreateAssertionTicketLoginModule to com.sap.aii.af.soapadapter*XISOAPAdapter (Service u2018Security Provideru2019 -> runtime -> policy configurations ) in order to create an assertion ticket when SOAP adapter is called.
  When calling the webservice, the response contains : "Received HTTP response code 401 : Unauthorized".  In RWB I can see that the communication channel is in error, not even displaying the content of the message.
  The security.log file contains : u201CAttempting to create outgoing ssl connection without trusted certificatesu201D
  My test user (and PIAFUSER) has SAP_XI_APPL_SERV_USER role, are not locked and PI Caches have been cleared.
  In addition, I have not set SSO in PI, thinking it is not a prerequisite to principal propagation.
  Does anyone could help me ?
  Thanks for your help,
  Philippe
  Edited by: IBM France CONSEIL on Feb 19, 2010 9:48 AM

  Stefan,
  what I understand from the comments is that I have to use SAML, but this is coming with PI 7.1 and I am working on PI 7.0.
  However, when I read the beginning of this thread [Principal Propagation - PIAFUSER in Assertion Ticket] it proves it can work without SAML, isn't it ?

• ADFS SSO and SharePoint 2013 on-premise Hybrid outbound search results from SharePoint Online - does it work?

  Hi, 
  I want to setup an outpund hybrid search for SharePoint 2013 on-premise to SharePoint Online.
  But I'm not shure if this works with ADFS SSO.
  Has somebody experience with this setup?
  Here's my guide which I'm going to use for this installation:
  Introduction
  In this post I'll show you how to get search results from your SharePoint Online in your SharePoint 2013 on-premise search center.
  Requirements
  User synchronisation ActiveDirectory to Office 365 with DirSync
  DirSync password sync or ADFS SSO
  SharePoint Online
  SharePoint 2013 on-premise
  Enterprise Search service
  SharePoint Online Management Shell
  Instructions
  All configuration will be done either in the Search Administration of the Central Administration or in the PowerShell console of your on-premise SharePoint 2013 server.
  Set up Sever to Server Trust
  Export certificates
  To create a server to server trust we need two certificates.
  [certificate name].pfx: In order to replace the STS certificate, the certificate is needed in Personal Information Exchange (PFX) format including the private key.
  [certificate name].cer: In order to set up a trust with Office 365 and Windows Azure ACS, the certificate is needed in CER Base64 format.
  First launch the Internet Information Services (IIS) Manager
  Select your SharePoint web server and double-click Server Certificates
  In the Actions pane, click Create Self-Signed Certificate
  Enter a name for the certificate and save it with OK
  To export the new certificate in the Pfx format select it and click Export in the Actions pane
  Fill the fields and click OK Export to: C:\[certificate
  name].pfx Password: [password]
  Also we need to export the certificate in the CER Base64 format. For that purpose make a right-click on the certificate select it and click on View...
  Click the Details tab and then click Copy to File
  On the Welcome to the Certificate Export Wizard page, click Next
  On the Export Private Key page, click Next
  On the Export File Format page, click Base-64 encoded X.509 (.CER), and then click Next.
  As file name enter C:\[certificate
  name].cer and then click Next
  Finish the export
  Import the new STS (SharePoint Token Service) certificate
  Let's update the certificate on the STS. Configure and run the PowerShell script below on your SharePoint server.
  if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}
  # set the cerficates paths and password
  $PfxCertPath = "c:\[certificate name].pfx"
  $PfxCertPassword = "[password]"
  $X64CertPath = "c:\[certificate name].cer"
  # get the encrypted pfx certificate object
  $PfxCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20
  # import it
  Set-SPSecurityTokenServiceConfig -ImportSigningCertificate $PfxCert
  Type Yes when prompted with the following message.
  You are about to change the signing certificate for the Security Token Service. Changing the certificate to an invalid, inaccessible or non-existent certificate will cause your SharePoint installation to stop functioning. Refer
  to the following article for instructions on how to change this certificate: http://go.microsoft.com/fwlink/?LinkID=178475. Are you
  sure, you want to continue?
  Restart IIS so STS picks up the new certificate.
  & iisreset
  & net stop SPTimerV4
  & net start SPTimerV4
  Now validate the certificate replacement by running several PowerShell commands and compare their outputs.
  # set the cerficates paths and password
  $PfxCertPath = "c:\[certificate name].pfx"
  $PfxCertPassword = "[password]"
  # get the encrypted pfx certificate object
  New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20
  # compare the output above with this output
  (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
  [/code]
  ## Establish the server to server trust
  [code lang="ps"]
  if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}
  Import-Module MSOnline
  Import-Module MSOnlineExtended
  # set the cerficates paths and password
  $PfxCertPath = "c:\[certificate name].pfx"
  $PfxCertPassword = "[password]"
  $X64CertPath = "c:\[certificate name].cer"
  # set the onpremise domain that you added to Office 365
  $SPCN = "sharepoint.domain.com"
  # your onpremise SharePoint site url
  $SPSite="http://sharepoint"
  # don't change this value
  $SPOAppID="00000003-0000-0ff1-ce00-000000000000"
  # get the encrypted pfx certificate object
  $PfxCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20
  # get the raw data
  $PfxCertBin = $PfxCert.GetRawCertData()
  # create a new certificate object
  $X64Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
  # import the base 64 encoded certificate
  $X64Cert.Import($X64CertPath)
  # get the raw data
  $X64CertBin = $X64Cert.GetRawCertData()
  # save base 64 string in variable
  $CredValue = [System.Convert]::ToBase64String($X64CertBin)
  # connect to office 3656
  Connect-MsolService
  # register the on-premise STS as service principal in Office 365
  # add a new service principal
  New-MsolServicePrincipalCredential -AppPrincipalId $SPOAppID -Type asymmetric -Usage Verify -Value $CredValue
  $MsolServicePrincipal = Get-MsolServicePrincipal -AppPrincipalId $SPOAppID
  $SPServicePrincipalNames = $MsolServicePrincipal.ServicePrincipalNames
  $SPServicePrincipalNames.Add("$SPOAppID/$SPCN")
  Set-MsolServicePrincipal -AppPrincipalId $SPOAppID -ServicePrincipalNames $SPServicePrincipalNames
  # get the online name identifier
  $MsolCompanyInformationID = (Get-MsolCompanyInformation).ObjectID
  $MsolServicePrincipalID = (Get-MsolServicePrincipal -ServicePrincipalName $SPOAppID).ObjectID
  $MsolNameIdentifier = "$MsolServicePrincipalID@$MsolCompanyInformationID"
  # establish the trust from on-premise with ACS (Azure Control Service)
  # add a new authenticatio realm
  $SPSite = Get-SPSite $SPSite
  $SPAppPrincipal = Register-SPAppPrincipal -site $SPSite.rootweb -nameIdentifier $MsolNameIdentifier -displayName "SharePoint Online"
  Set-SPAuthenticationRealm -realm $MsolServicePrincipalID
  # register the ACS application proxy and token issuer
  New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri "https://accounts.accesscontrol.windows.net/metadata/json/1/" -DefaultProxyGroup
  New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https://accounts.accesscontrol.windows.net/metadata/json/1/" -IsTrustBroker -Name "ACS"
  Add a new result source
  To get search results from SharePoint Online we have to add a new result source. Run the following script in a PowerShell ISE session on your SharePoint 2013 on-premise server. Don't forget to update the settings region
  if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}
  # region settings
  $RemoteSharePointUrl = "http://[example].sharepoint.com"
  $ResultSourceName = "SharePoint Online"
  $QueryTransform = "{searchTerms}"
  $Provier = "SharePoint-Remoteanbieter"
  # region settings end
  $SPEnterpriseSearchServiceApplication = Get-SPEnterpriseSearchServiceApplication
  $FederationManager = New-Object Microsoft.Office.Server.Search.Administration.Query.FederationManager($SPEnterpriseSearchServiceApplication)
  $SPEnterpriseSearchOwner = Get-SPEnterpriseSearchOwner -Level Ssa
  $ResultSource = $FederationManager.GetSourceByName($ResultSourceName, $SPEnterpriseSearchOwner)
  if(!$ResultSource){
  Write-Host "Result source does not exist. Creating..."
  $ResultSource = $FederationManager.CreateSource($SPEnterpriseSearchOwner)
  $ResultSource.Name = $ResultSourceName
  $ResultSource.ProviderId = $FederationManager.ListProviders()[$Provier].Id
  $ResultSource.ConnectionUrlTemplate = $RemoteSharePointUrl
  $ResultSource.CreateQueryTransform($QueryTransform)
  $ResultSource.Commit()
  Add a new query rule
  In the Search Administration click on Query Rules
  Select Local SharePoint as Result Source
  Click New Query Rule
  Enter a Rule name f.g. Search results from SharePoint Online
  Expand the Context section
  Under Query is performed on these sources click on Add Source
  Select your SharePoint Online result source
  In the Query Conditions section click on Remove Condition
  In the Actions section click on Add Result Block
  As title enter Results for "{subjectTerms}" from SharePoint Online
  In the Search this Source dropdown select your SharePoint Online result source
  Select 3 in the Items dropdown
  Expand the Settings section and select "More" link goes to the following URL
  In the box below enter this Url https://[example].sharepoint.com/search/pages/results.aspx?k={subjectTerms}
  Select This block is always shown above core results and click the OK button
  Save the new query rule

  Hi  Janik,
  According to your description, my understanding is that you want to display hybrid search results in SharePoint Server 2013.
  For achieving your demand, please have a look at the article:
  http://technet.microsoft.com/en-us/library/dn197173(v=office.15).aspx
  If you are using single sign-on (SSO) authentication, it is important to test hybrid Search functionality by using federated user accounts. Native Office 365 user accounts and Active Directory Domain Services
  (AD DS) accounts that are not federated are not recognized by both directory services. Therefore, they cannot authenticate using SSO, and cannot be granted permissions to resources in both deployments. For more information, see Accounts
  needed for hybrid configuration and testing.
  Best Regards,
  Eric
  Eric Tao
  TechNet Community Support

• SSO and SOA

  Can someone please provide me with a walk through using SSO and SOA? Basically in a SOA environment; from Application to Service to maybe another Service to Database how is SSO done?

  I'm assuming when you say SSO, you mean identity propagation, which is usually the case with SOA. SSO to me is the act of moving from between HTTP servers without having to provide credentials everywhere you go. With SOA, you may want your identity propagated from portal->service bus->business services across different domains all within a single HTTP request.
  Oracle has a number of strategies with regards to this. What I've been working with recently is using SAML token profile in WebLogic. Essentially the Web service stack in WebLogic knows how to generate a SAML assertion from the SAML Credential Mapper if required by the WS-policy. The SAML Identity Asserter consumes the assertion on the receiving end. You manage the partner relations, confirmation method, signing info, etc. through the WebLogic console.
  You can manage which WS-security policies are applied for services deployed on WebLogic through the console, or you can do it from central gateway using Oracle Service Bus.
  http://edocs.bea.com/wls/docs103/webserv_sec/message.html
  http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/ws_policy.html
  Ciao
  Matt

• Avoid principal propagation in RFC_to_File scenario?

  Hi!
  I am facing with the following error in sxmb_moni by retrieving the message from business system A.
  Errror in part Call adapter
  System_Error: Error exception retnr from pipeline processing
  name = "CL_XMS_MAIN_WRITE_MESSAGE_TO_PERSIST"
  I also detected the following additional error text:
  <SAP:AdditionalText>com.sap.aii.af.ra.ms.api.ConfigException: Unauthorized: J2EE AE rejected user. Reason: Principal propagation is not active, but technical IS service user was not used (J2EE_ADMIN).</SAP:AdditionalText>
  <SAP:ApplicationFaultMessage namespace="" /
  The error tell me that the principal propagation is missing.
  Unfortunately I cannot activate principal propagation on Sender system due to ABAP dump error.
  Question:
  Are there some alternative solutions without activating principal propagation?
  If yes hwo can these be realize?
  For example: is it possible to send messages as technical IS server user such as j2ee_admin from sender system without activating principal propagation?
  Any helpful information will be very appreciated.
  Thank you!
  Holger

  HI Holger
  Looking at the error we can see its authorization issue. You can try using user like PISUPER to create and use principal propagation
  Moreover other than this you have to go through normal RFC -> XI -> File procedure where you have different user involved at different services. No other choice
  Thanks
  Gaurav

• SOAP to SOAP principal propagation with logon tickets

  I have configured a scenario using soap sender to soap receiver with an integrated configuration on PI 7.1. It is synchronous CE 7.11<->PI 7.10<->ECC 6.0. The scenario works with basic authentication. If I enable principal propagation on the sender side it still works fine. Now I have activated principal propagation on the receiver side and I get the following error in the message audit log:
  <p/>
  <pre>
  2010-05-07 09:01:50 Information MP: entering1
  2010-05-07 09:01:50 Information MP: processing local module localejbs/sap.com/com.sap.aii.af.soapadapter/XISOAPAdapterBean
  2010-05-07 09:01:50 <b>Information SOAP: request message entering the adapter with user DAMZOG.JOCHE </b>
  2010-05-07 09:01:50 Information SOAP: request message leaving the adapter (call)
  2010-05-07 09:01:50 Information The application tries to send an XI message synchronously using connection SOAP_http://sap.com/xi/XI/System.
  2010-05-07 09:01:50 Information Trying to put the message into the call queue.
  2010-05-07 09:01:50 Information Message successfully put into the queue.
  2010-05-07 09:01:50 Information The message was successfully retrieved from the call queue.
  2010-05-07 09:01:50 Information The message status was set to DLNG.
  2010-05-07 09:01:50 Information Delivering to channel: SOAP_MRByID_In5_R
  2010-05-07 09:01:50 <b>Information SOAP: request message entering the adapter with user J2EE_GUEST</b>
  2010-05-07 09:01:50 Fehler SOAP: call failed: java.io.IOException: unable to get URLConnection: com.sap.security.core.server.destinations.api.ConfigurationException: [destination_0004] Unable to create URLConnection:No logged in user found.
  2010-05-07 09:01:50 Fehler SOAP: error occured: com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.io.IOException: unable to get URLConnection: com.sap.security.core.server.destinations.api.ConfigurationException: [destination_0004] Unable to create URLConnection:No logged in user found.
  2010-05-07 09:01:50 Fehler Adapter Framework caught exception: java.io.IOException: unable to get URLConnection: com.sap.security.core.server.destinations.api.ConfigurationException: [destination_0004] Unable to create URLConnection:No logged in user found.
  2010-05-07 09:01:50 Fehler The message was successfully transmitted to endpoint com.sap.engine.interfaces.messaging.api.exception.MessagingException: java.io.IOException: unable to get URLConnection: com.sap.security.core.server.destinations.api.ConfigurationException: [destination_0004] Unable to create URLConnection:No logged in user found. using connection SOAP_http://sap.com/xi/XI/System.
  2010-05-07 09:01:50 Fehler The message status was set to FAIL.
  </pre>
  <p/>
  Any ideas what could be wrong?
  Edited by: Jochen Damzog on May 7, 2010 9:02 AM
  Edited by: Jochen Damzog on May 7, 2010 9:06 AM
  Edited by: Jochen Damzog on May 7, 2010 9:22 AM

  The problem was due to the channels being not in the most recent state. A simple restart of the soap sender channel did the job.

• Principal Propagation SOAP - XI - RFC Scenario

  Hi,
  I am developing a synchronous scenario whereby a SOAP request posted by a non SAP system should be forwarded to an ECC system using RFC. Challenge I am facing is that I want to use the user, which was used for basic user authentification to post to XI, dynamically in the RFC call. I have been reading about Principal Propagation using assertion tickets, however only SOAP receiver adapter is spoken about. I am trying to configure this using SOAP Sender adapter.
  As far as my understanding goes the sending system should be able to create these assertion tickets ?
  Has anyone developed a similar interface ?
  Scenario is: Non SAP SOAP Sending system = Client, Adapter engine = Server & Client, Integration Server = Server & client and Receiving ABAP system (ECC6.0) is Server.
  Any help would be appreciated and awarded if helpfull.
  Kind Regards, Jelmer Keuken
  Ps. XI is version 7.0 SP18, Alreay read the Blogs of Alexander Bundschuh
  Edited by: J. Keuken on Sep 9, 2009 4:04 PM

  Hi,
  This scenario is definately possible to implement with principal propagation.
  1. Enable the PP on Integration server
  2. Here you need not have to do anything on SOAP sender side to create the assertion ticket..
  The assertion ticket is required on SAP side which will act as Web AS ABAP Server.
  refer the settings --http://help.sap.com/saphelp_nw04/helpdata/en/61/42897de269cf44b35f9395978cc9cb/frameset.htm
  3. And then follow further steps as it mentioned the blogs...
  Thanks
  Swarup

• Principal Propagation Using Sender SOAP adapter in PI7.1

  Hi,
  I am trying to configure principal propagation using SOAP sender adapter. In that, I am trying to generate the assertion ticket in SAP only but it is using PIAFUSER as the user that is being passed and not the user which we are using to logon.
  Please tell me how an assertion ticket can be generated in this case , and the User that is being used for logging on is propagated. Is there any other way in which SOAP adapter can be used to propagate principally.

  Hi,
    Have you come across this link?
  http://help.sap.com/saphelp_nwpi711/helpdata/en/48/ce95b718d3424be10000000a421937/content.htm
  Regards,
  Ravi

• Principal Propagation in sap pi

  Hello Friends,
  We need some PI expertise and hope you can help us. We are seeing some errors in production and trying to figure out the cause. These errors are
  triggered when we are running a mass job.
  We are trying to understand what this error mean so we can start investigating in right direction.
  Please see the error below , if you can think of  any possible reason please do share your inputs. Thank you!
  Error : Requested parameter PRINCIPAL_PROP_ACTIVE does not exist.
  Thank you!
  Shammi

  Hi Shammi
  Check the Principal Propagation,
  Principal Propagation in SAP NetWeaver Process Integration 7.1
  Hope it helps
  Regards
  Javi

• Principal propagation

  hi, all.
  i have scenario:
  HTTP <-> XI <-> SAP.
  between HTTP and XI i use http adapter. between XI and SAP i use proxy. i have to propagate useres from HTTP system to SAP system.
  Can I create all needed users in XI, and connect from HTTP to XI using any of this user, but for connecting from XI to SAP can I use principal propagation?

  Hi Mikhail
  <b>refre this Blog for to get details about principal propagation</b>
  <b>Principal Propagation with SAP NetWeaver Process Integration 7.1</b>
  /people/alexander.bundschuh/blog/2007/08/06/principal-propagation-with-sap-netweaver-process-integration-71
  <b>Principal Propagation in SAP XI</b>
  /people/alexander.bundschuh/blog/2007/01/16/principal-propagation-in-sap-xi
  Thanks!!
  Regards
  Abhishek Agrahari

• Principal Propagation - Define interfaces button missing?

  Hi,
  I'm trying to configure PP in my PI 7.0 SP15 system with kernel version 146.
  I have completed all of the steps in the relevant guide but when I go to t.c. SXMB_ADM -> Configure Principal Propagation, there's no button/option for configuring interfaces for principal propagation as stated in the guide. Have I missed something?
  Regards,
  Gökhan

  Sorry, false alarm.
  This button is only valid in sender business systems, not the PI system and only needs to be configured for sender systems.

• Principal Propagation Issue - J2EE_GUEST being used in some messages

  Hi guys !
          I have the following situation, my customer have a SAP PI 7.1 Ehp 1 and, some interfaces are configured to run under Principal Propagation.
          What is occurring is, for an interface that uses principal propagation and works correctly, the message enters in PI using an authenticated user for principal propagation(for example, USER0001) and this authentication is propagated until the receiver system(eg, SAP ECC), but in some cases, this same interface shows the following behavior: the authenticated user USER0001 send a message, the message starts to be processed in the PI pipeline propagating this user but, when the message will be delivered to RFC Adapter, we receive the following error:
  Adapter Framework caught exception: failed to generate ClientPoolcom.sap.aii.adapter.rfc.RfcAdapterException: error initializing RfcClientPool:com.sap.aii.adapter.rfc.afcommunication.RfcAFWException: could not create JCO Pool com.sap.aii.adapter.rfc.afcommunication.RfcAFWException: could not get JCOProperties com.sap.security.core.server.destinations.api.DestinationException: [_DestinationServiceAuthorization1004] User-based destination service access denied to principal J2EE_GUEST. Assign the UME action Destination_Service_Write_Permission if the user should have the permission to save, update or remove destinations. The action is available already to the Administrator role.
        And after one message stop with the error above, any message of any interface using principal propagation starts to show the following error, that is only solved running a full cache refresh:
  Delivering the message to the application using connection RFC_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: com.sap.aii.adapter.rfc.afcommunication.RfcAFWException: error while processing message to remote system:com.sap.aii.adapter.rfc.core.client.RfcClientException: could not get functiontemplate from repository: com.sap.mw.jco.JCO$Exception: (106) JCO_ERROR_RESOURCE: Repository pool 'RfcRepository[RfcClient[RFCReceiverAutoCommit_ECC]]f0264787314535c0a27cf29d108f5860' does not exist or was removed..
        The question is, why do PI pipeline is trying to use J2EE_GUEST in some task for an interface configured to use Principal Propagation ? Why this occurs in some cases and not in anothers(for the same interface) ? Why the cache is being lost ?? And of course, how can I solve this annoyng situation ?
        All configurations needed to run Principal Propagation was done according the help.sap.com documentation(http://help.sap.com/saphelp_nwpi711/helpdata/en/48/a9bbb97e28674be10000000a421937/content.htm), and as I said, it works in most cases. All messages are sent using SOAP Adapter for the Sender System, and RFC Adapter for the receiver, and there are synchronous and asynchronous interfaces. Basically the interfaces that only read data from SAP, does not use principal propagation and, the ones that create/update/delete data in SAP, uses principal propagation.
        Somebody already saw something like this ?
        Thank you in advance, and best regards,
        Wilson

  Hi guys !
  I have continued with some tests in environment trying to understand what
  is happening and, I did the following, as the first error mentioned is
  "User-based destination service
  access denied to principal J2EE_GUEST. Assign the UME action
  Destination_Service_Write_Permission if the user should have the
  permission to save, update or remove destinations", I entered on UME Admin,
  created a new Role named J2EE_GUEST_ROLE, assigned the UME Action
  Destination_Service_Write_Permission to it, and assigned this new role to
  the user J2EE_GUEST, and ran new tests.
  After some executions, one message stopped with this error:
  Adapter Framework caught exception: error while processing message to
  remote system:com.sap.aii.adapter.rfc.core.client.RfcClientException:
  could not get a client from JCO.Pool: com.sap.mw.jco.JCO$Exception: (101)
  RFC_ERROR_PROGRAM: 'user' missing
  I have observed that, in all messages that stops in error, we have the
  following line in Audit Log:
  Processing child message of multi-message with message Id
  000c2936-6a89-1ed0-aebe-c262ae7d412e.
  And this interface doesn´t have multi-message to be processed, is a
  single message only.
  I checked on configuration and see that the interface determinations for all interfaces has the flag "Maintain order at runtime", what is usefull basically when a Interface Determination has more than one interface,
  what is not my case, so I will unmark this flag in all interfaces and run
  new tests trying to identify if this solves the problem.
  Any idea for this annoyng issue ?
  Thank you and regards !