SSO is not working - User is missing credentials for connecting to alias
Dear Experts,
I am facing a strange problem in SSO with reference system user mapping. I have configured reference system user mapping for accessing R/3 for ESS/MSS and transactional iviews along with UWL. The SSO was configured 2 months ago and was working fine till yesterday.
Since this Monday, (2 days), the system connection tests are failing on connector. But, ESS/MSS & Transaction iviews with SAP Logon tickets are working fine. But, while trying to access UWL tasks, SSO is failing. Following is the error message -
"Exception occured Exception type:com.sap.netweaver.bc.uwl.connect.ConnectorException Message:Tue Aug 11 09:46:58 CEST 2009
(Connector) :com.sap.portal.connectivity.destinations.PortalDestinationsServiceException:User is missing credentials for connecting to alias <Aliassystem>. Contact your system administrator. "
I have created a destination for the respective backend in Visual Admin > node > services > Destinations as some tasks are not visible in UWL as per Note- 1133821, 2 weeks ago.It was working fine till yestreday. While testing from destinations, for Connected User(SAP Logon ticket Assertion ticket) , getting the error message -
Error During ping operation:Ticket contain no/an emplty ABAP user id(refer note 1159962). The destination is successfully connected with configured user.
But from the Tracecollector logs, I can see that the mapped user is set in the SAP Logon ticket and the User <ABCD> is existing in the target ECC system. More over, the SSO with refence system user mapping is working fine for ESS/MSS and Transaction based iviews. It is failing only for UWL tasks and also in system connection tests for connector. ITS was failing since the beginning.WAS is successful even now.
Trace file info -
Mapped user [ABCD] set in SAP Logon Ticket. The authenticated user is [<portaluserid>]. Authentication stack: [ticket]..
The created ticket is:
[Ticket [initialized]
Ticket Version = 0
Ticket Codepage = (Encoding=1100)
User = <ABCD>
Issuing System ID = EPD
Issuing System Client = 000
Creation Time = 200908110746
Valid Time = 8 h 0 min
Signature (length=261 bytes)
I checked tcode SSO2 in ECC system and it is ready for accepting the logon tickets. The strange thing is single sign on is working for ESS/Transactional iviews and not for UWL. Second thing is UWL was working fine till yesterday morning and stopped working now with SSO problems.
Can you pls advise where to look for fixing the SSO - missing user details for UWL destination?
regards,
Isvarya
<title>reporting the text as formatted text - Dear Experts,</title>
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Author>Isvarya Bolisetti</o:Author>
<o:LastAuthor>Isvarya Bolisetti</o:LastAuthor>
<o:Revision>2</o:Revision>
<o:TotalTime>1</o:TotalTime>
<o:Created>2009-08-11T11:21:00Z</o:Created>
<o:LastSaved>2009-08-11T11:21:00Z</o:LastSaved>
<o:Pages>1</o:Pages>
<o:Words>385</o:Words>
<o:Characters>2195</o:Characters>
<o:Company>Bekaert N.V</o:Company>
<o:Lines>18</o:Lines>
<o:Paragraphs>5</o:Paragraphs>
<o:CharactersWithSpaces>2575</o:CharactersWithSpaces>
<o:Version>11.9999</o:Version>
</o:DocumentProperties>
</xml><![endif]><![if gte mso 9]><![endif]><![if gte mso 9]>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
@page Section1
div.Section1
-->
</style>
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
</style>
<![endif]><![if gte mso 9]><![endif]><![if gte mso 9]>Mapped user set in SAP Logon Ticket. The
authenticated user is . Authentication stack: ..
The created ticket is:
[Ticket
Similar Messages
-
Could not setup user ABC's credentials for this AE program
Hi Guys,
I was trying to run AE SCRTY_OPRCLS and got the below error.
"Could not setup user ABC's credentials for this AE program. Perhaps
this AE request is running outside the user's allowed signon times"
I run the AE again without any error so I think it should be allowed signon times issue. That is set up for Permission list, I think, which is from 0:00 to 23:59. Does anyone know if there is a configuration step about this?
Thanks in advance,
BobHi all,
I ran into the same problem today and came accross this on the support site: disabling the PSAESERV: E-AE: How to Disable PSAESRV in a Process Scheduler Domain [ID 659343.1]. This helps and does not seem to hinder running any application engine processes. Good luck. -
Hi...
I'm trying to use SSO between portal (jCo, webdynpro...) and ABAP System...
I follow "Single Sign-On in a Complex System Landscape" tutorial, but when I try to test any jCo connection, this error appears to me:
com.sap.tc.webdynpro.services.exceptions.WDRuntimeException: Failed to enrich connection properties
And following logs, I can see this error:
Cannot provide X.509 certificate of user "Silva, Jose" (unique ID: "USER.PRIVATE_DATASOURCE.un:123456") because of an unexpected UME internal problem. (Backend system: "UMESystemLandscapeDummy")
[EXCEPTION]
com.sap.security.api.umap.NoLogonDataAvailableException: This user does not have a certificate.
at com.sap.security.core.umap.imp.UserMappingDataImp.enrich(UserMappingDataImp.java:412)
at com.sap.tc.webdynpro.serverimpl.core.sl.AbstractJCOClientConnection.createPool(AbstractJCOClientConnection.java:346)
at com.sap.tc.webdynpro.serverimpl.core.sl.AbstractJCOClientConnection.checkPoolEntry(AbstractJCOClientConnection.java:296)
at com.sap.tc.webdynpro.serverimpl.core.sl.AbstractJCOClientConnection.getClient(AbstractJCOClientConnection.java:396)
at com.sap.tc.webdynpro.tools.explorer.JCOConnectionsDetails.onActionTestConnection(JCOConnectionsDetails.java:229)
at com.sap.tc.webdynpro.tools.explorer.wdp.InternalJCOConnectionsDetails.wdInvokeEventHandler(InternalJCOConnectionsDetails.java:303)
at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.invokeEventHandler(DelegatingView.java:87)
at com.sap.tc.webdynpro.progmodel.controller.Action.fire(Action.java:67)
at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doHandleActionEvent(WindowPhaseModel.java:420)
at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:132)
at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
at com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:313)
at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:713)
at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:666)
at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:250)
at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doPost(DispatcherServlet.java:53)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
I don't know what to do...
My portal certificate has a problem, or is my abap certificate?
Thanx...
(sorry for my poor english)Hi,
If you are working with JCO's please make sure that SSO will not work for metadata jco creation.
use the UID PWD method as part of metadata jco creation.
it will work fine
this messege as per my knowledge, may be helpfull for you -
NTLM SSO is not working using IIS
Hi,
We have unable to login to the infoview using SSO getting u201C page canu2019t found u201C error.
1. We can login to the infoview using AD authentication when tomcat as the application server but we are unable to login to the infoview using SSO when IIS as the application server.
2. If we select the option called u201Cintegrated windows Authenticationu201D under internet options then the SSO is not working and if we uncheck the u201Cintegrated windows Authenticationu201D in the internet options then we are able to login to the infoview using SSO.We are able to login to the infoview using SSO on another environments and the working and problematic environments we Configured IIS6, XI2 SP4.
4.We tried to login to the infoview using http://servername instead of entire URL however we are getting error.
5.We restarted IIS but no use.
6.Our admin follow the below options-
Open a registry editor, such as Regedit.exe or Regedt32.exe.
Navigate to:
HKLM\System\CurrentControlSet\Services\HTTP\Parameters
Right-click Parameters, select New | DWORD value, and then name the value MaxFieldLength.
Right-click Parameters, select New | DWORD value, and then name the value MaxRequestBytes.
In the right pane, double-click MaxFieldLength, and then set its value to 32768 (decimal).
In the right pane, double-click MaxRequestBytes, and then set its value to 32768 (decimal).
Close the registry editor and restart the IIS Admin service for the change to take effect.
But we are getting same problem.
7.We tried to login to the infoview using http://localhost but issue still persists.
8.We installed jakarta redirector.Is this root cause of this issue?
9.We selected intigrated windows authentication under default websites and i am sure i gave all the options under internet information manager.
Any one please help on this.
My environment is-
BOXIR2 SP4,
NTLM SSO,
Windows 2003,
IIS6."We tried to login to the infoview using http://servername instead of entire URL however we are getting error"
What's the error using the hostname for SSO with integrated windows authentication enabled on only the infoview virtual directory?
Regards,
Tim -
SSO is not working for an Alias URL but is working for original portal URL
Hello,
We have a BSP running inside the portal and expects authentication.
When I run this BSP using the portal regular address everything is working OK and SSO is working after logging into the portal.
At next step, we have configured an alias for the portal URL at the DNS Server.
When activating the BSP from the alias URL it asks for 2nd authentication. Meaning, SSO is not working after logging into the portal.
I have activated an HTTP trace in order to see why and it seems like when running it from the alias name it recognizes it as a different domain and I assume this is why the authentication is coming up.
I would like to suppress this for the alias URL but don't know how.
I found this UME property on the server:ume.logon.security.relax_domain.level
This UME property controls the amount of sub domains to remove from the server name to obtain the domain for which the logon ticket is valid.
I have changed this property from its default value 1 to 3 (and restarted the server of course) which, in our case, leaves only ourCompany.com for the ticket in the original server URL. Yet, the authentication pop up is still not supressed when browsing through the alias URL.
Any idea what can I do next?
Thanks,
RoyHi Dezso,
I found the 401 let me know if I look on it right:
I have an entry node with two subnodes: request and response.
The response has:
<responseStatus>HTTP/1.1 401 Unauthorized</responseStatus>
And the request before that doesn't have any MYSAPSSO2 in it, all it has which is related to cookies is this:
<header name="Cookie">UserUniqueIdentifier=1174345919524; alreadyLogged=1179560552416</header>
<cookies>
<cookie name="alreadyLogged">1179560552416</cookie>
<cookie name="UserUniqueIdentifier">1174345919524</cookie>
</cookies>
Can you advice what to do next? -
Hi I was just wondering, if my iPod nano's serial number says that it is eligible, but its screen is not working, am I still eligibile for the iPod nano 1st gen replacement?
Yes. They'll still replace your iPod. Several users have indicated that they have returned damaged iPods and were still given a replacement iPod.
B-rock -
Site list update not working with TED and Zenworks for Servers
Product: Zenworks for Desktops 7Sp1 and Zenworks For Server/TED 7Sp1HP5
Subject: Site list update not working with TED and Zenworks for Servers ,
all on Linux
Description: We have an exiting environment with 6 ZfS Servers and now we
brought up a new Server for another location. I configured all same as on
the other Server and the new one created all NAL-Apps at the new location.
But in the Application Site list on the golden App is this Application
missing. So I clicked on the Link up site list on the Distribution Screen
in C1. On ApplicationSite list the App from the new location is missing.
So I removed all and added the new from the new location and now i see all
in the application site list.When I install an app on the client on the
new location NAL is connecting alway th the same (wrong location-server
and i get an msi error 1612 or id=53272 with path=\Wrong serverpath to
file.
I looked on the other tab on C1 at the golden app an I see the backlinks
are going to all other servers without the new one. Software installation
on other locations are ok
RegardsAndreas,
I forgot to mention that you can also set the loging level on the Distributor and the Subscriber to 6. to do this at the Zenworks Server Management prompt type "setconsolelevel 6" if you want to capture this to the log file ted.log then use "setfilelevel 6"
Next delete the Distribution from the Subscriber and then re-push the channel.
What we are looking for here in the log is the creation of the object and the linking information about the gold object. it should look like this (not the failure part ;-))) )
In this excerpt you will see the entry
Golden App =
This should be were the link is to
You can check this both ways in the Golden App and in the Distributed Application.
Here is a log from me that shows this info as an example of what you should be looking for.
2008.05.29 03:35:41 [TED:Work Order In(yourserver.yes.com)] Receiving distribution: Creating new application failed,
Subscriber Tree Name= YOUR-TREE,
Subscriber DN = SUBSCRIBER_YOURSERVER.BRN.FL.SUBS.SUBSCRIBERS.ZSM. GRS.CBH,
Golden App = SCRIPT-MS-HOTFIX.APP.BRN.ZENGOLD.GRS.CBH,
Attempted AppName = SCRIPT-MS-HOTFIX.APP.BRN.HAVERHI.PALM.FL.CBH,
error message: Failed creating SCRIPT-MS-HOTFIX.APP.BRN.HAVERHI.PALM.FL.CBH. With error message: Setting the trustee for BRN.HAVERHI.PALM.FL.CBH on the file "VOL1:\ZEN\UTILS" failed. Look in subscriber log file for more details..
2008.05.29 03:35:41 [TED:Event Processing] Handle Event: Work order IN completed... Creating new application failed,
Subscriber Tree Name= YOUR-TREE,
Subscriber DN = SUBSCRIBER_HAVERHI-FLBRN1.BRN.FL.SUBS.SUBSCRIBERS.ZSM.GRS.CBH,
Golden App = SCRIPT-MS-HOTFIX.APP.BRN.ZENGOLD.GRS.CBH,
Attempted AppName = SCRIPT-MS-HOTFIX.APP.BRN.HAVERHI.PALM.FL.CBH,
error message: Failed creating SCRIPT-MS-HOTFIX.APP.BRN.HAVERHI.PALM.FL.CBH. With error message: Setting the trustee for BRN.HAVERHI.PALM.FL.CBH on the file "VOL1:\ZEN\UTILS" failed. Look in subscriber log file for more details..
2008.05.29 03:35:41 [TED:Event Processing] Received (from haverhi-flbrn1.yesbank.com) Creating new application failed,
Subscriber Tree Name= YOUR-TREE,
Subscriber DN = SUBSCRIBER_HAVERHI-FLBRN1.BRN.FL.SUBS.SUBSCRIBERS.ZSM.GRS.CBH,
Golden App = SCRIPT-MS-HOTFIX.APP.BRN.ZENGOLD.GRS.CBH,
Attempted AppName = SCRIPT-MS-HOTFIX.APP.BRN.HAVERHI.PALM.FL.CBH,
error message: Failed creating SCRIPT-MS-HOTFIX.APP.BRN.HAVERHI.PALM.FL.CBH. With error message: Setting the trustee for BRN.HAVERHI.PALM.FL.CBH on the file "VOL1:\ZEN\UTILS" failed. Look in subscriber log file for more details.. -
Hello, my iPod touch is not working right. It says its connected but if I select App Store, safari and other apps that require wifi pops out a note saying either"error loading" or "cannot connect to iTunes Store" and would exit the app automatically. Please help.
Thank You.See:
Can't connect to the iTunes Store -
My Time Capsule expired and no longer works. My printer (a HP) will now not work as it still wishes to connect through the Time Capsule. It will not allow itself be recognised through a USB connection to my Mac. Anyone got any ideas?
You will need to install the printer on your Mac
Open System Preferences (gear icon) on the dock
Open Print & Fax
Click the + (plus) button at the bottom of the printer list
Wait for your printer to appear in the next box, then click it to highlight it
Click Add at the lower right
Be sure to select the correct printer when you try to print as you will see your printer listed twice. Good idea to make the printer now installed on your Mac the default printer so you do not have to choose which printer to use each time you want to print.
You can also go into Print & Fax, select the printer associated with the Time Capsule and click the - (minus) button if you want to delete that location. -
My iPhone's screen black, it does not work and I tied to hold press power and home press but it did not work? By the way for seconds I saw iTunes cabal simple, but unfortunately, I do not have backup for my iPhone in my mac, so how can I restore my iphone without loss my date?
Thankslbryan1987 wrote:
I dont want the button problem solved i need to know how to restore the phone without using that button or going into settings
You don't in the condition it's in. You will either have to get the phone replaced by Apple or pay a 3rd party to repair it.
there seriously should be more than two ways to solve this other wise apple is useless and we will never buy another apple product.
Seriously? It's physically broken! -
I upgraded to Mountain Lion yesterday, but since doing so I find that my 1Password app will not work. I have checked for 1Password updates but there are none. Is there a compatibility issue
Hmmm...I'm using 1Password Version 3.8.20 (build 31499) with a fresh install (scrape and pave) of Mt. Lion on my iMac and it's working fine.
I use Dropbox to sync 1Password so for my fresh install I simply downloaded 1Password from Agilbits website and installed it.
Have you tried reinstalling 1Password? Depending on how you purchased it, download it from their website or from the Mac App store to reinstall/replace it. (IIRC v3.8.x comes directly from Agilbits and v3.9 from the Mac App store.) You shouldn't have to uninstall it, the new download should overwrite the existing copy.
As with anything else, be sure to run a backup first!
More here:
http://support.agilebits.com/discussions/1password-38-for-mac-from-agilebits-web site/17861-finding-existing-data-file-when-reinstalling-1password
http://support.agilebits.com/discussions/1password-in-mac-app-store/3377-how-to- reinstall
http://support.agilebits.com/discussions/1password-38-for-mac-from-agilebits-web site/13769-reinstall
http://support.agilebits.com/discussions/1password-in-mac-app-store/2394-reinsta lling-1-password
Hope that helps.
D'oh! Mende1 beat me to it! -
I accidentally downloaded the search engine called Genieo and I am trying to remove it but it just wont go away! I followed the step to remove it but its not working. I am begging for someone's help!!
See if these instructions work:
http://www.thesafemac.com/arg-genieo/
Ciao. -
Wi-Fi does not work after 7 ISO download for iPhone 4s What is the solution
Wi-Fi does not work after 7 ISO download for iPhone 4s
What is the solutionFor clarification, 7 ISO is not an Apple software product
iOS 7 is...
What is your issue with the wifi?
Have you reset network settings?
Can you include screenshots of the issue? -
I just got a 27" iMac (refurb, June 2011) and it's not working as an external display for my MacBook Pro (not Thunderbolt). Any idea why? Command+F2 does nothing. I am connecting via Belkin Minidisplay Port-to-Minidisplay Port adapter.
Any help is appreciated...thanks!Currently the ThunderBolt iMacs can only be used as an external display by other ThunderBolt Macs.
http://docs.info.apple.com/article.html?path=Thunderbolt/10.6/en/30822.html
Apple is very clear about that.
2009 and 2010 27" iMac with a Mini DisplayPort can be used by other Macs with a MDP-to-MDP cable.
Stefan -
Help, do not work all the push notifications for iphone 4 (A1332) after the ios 7
Help, do not work all the push notifications for iphone 4 (A1332) after the ios 7
I have the exact same problem you have? I can occasionally getpushnotification, but only once a day fore facebook. For twitter, I get nothing and newer got. Other programs never got any notification att all.Push notification is on both under notification center and the respective programs.I have iOS 5.0.1 on iPhone 4S.
Maybe you are looking for
-
Dear All, We are in the process of creating the flat file interfaces for hierarchies to load into BW. We have few hierarchies for customer, product and few hierarchies for custom time dimensions. I would like to know the format in which we can reques
-
Hi ive got the nokia 201 asha fone my network provider charges for data usage even when your not using it,ive set it up for my emails with hotmail.co.uk and facebook,to keep intouch with family while away from home which admittedly wont be very often
-
Modify INITIAL in partitioned table
Dear all, Facts: oracle 10.1 aix 5.3 i have a table with the INITIAL value 1M: partition PARTITION_83 values less than (201103) tablespace D_DML pctfree 0 pctused 40 initrans 1 maxtrans 255 storage initial 1M minextents 1 maxextents unlimited and i w
-
Triple 2560*1440 monitor setup on W530 + dock station + win8
I have: W530 (K1000M) upgraded to Win8 Mini Dock Plus Series 3 with USB 3.0 - 170W (US/Can/LA) Will it be possible to connect 3 27 inches monitors with resolution of 2560*1440? Will laptop support such huge resolution (7680*1440 totally)? Thanks
-
Email links in Notebook after rebuild
I have been using Circus Ponies' Notebook for a while and have numerous links to emails scattered throughout the notebooks. I create them by dragging the header line from mail.app to the insertion point on the notebook page. This creates a link which