WAS Portal User locked - Due to bad logon

Hi,
Is it possible to adjust user's bad logon attemp in WAS portal 6.4?
If a user enter wrong password more than three time, the system locked that user. It happened three times to admin user. We activated SAP* and unlocked the user.
If any one knows like how to increase the number of wrong password attempt...it would be great.
Thanks,

Hi,
For increasing the logon attempts, you have to follow below steps:
Step 1: Go to <Driver>:\usr\sap\<System ID>\JCxx\j2ee\configtool --> Configtool.bat
ex: C:\usr\sap\Y76\JC03\j2ee\configtool --> Configtool.bat
Step 2: cluster-data --> Global server configuration --> services --> com.sap.security.core.ume.service
select property : "ume.logon.security_policy.lock_after_invalid_attempts = < Enter Number>"
ex: ume.logon.security_policy.lock_after_invalid_attempts = 6
Step 3: save
Step 4: Restart the Engine.

Similar Messages

User XISUPER locked due to incorrect logon

Hi all,
We are facing one major problem as
Time Ty. Nr Cl. User Tcod MNo Text
00:17:56 DIA 002 700 SAPJSF US1 User XISUPER locked due to incorrect logon
in system log.
We checked all the RFC connections all are fine.
What would be the issue?
Regards,
Shivraj C.
Edited by: Shiv Chalke on Jul 27, 2009 8:24 AM

Hi,
>>>We checked all the RFC connections all are fine.
in most cases such issues are very easy to track
just check out documentation on where the XISUPER is used
for example for SLD access from PI - SLDAPICUST, etc.
so just check it out and you will know in a flash
Regards,
Michal Krawczyk

PIRWBUSR - Locked due to incorrect logons

Hello,
after installation of XI 7.0 the user PIRWBUSR is locked due to incorrect logons. After unlock the user an set the password new in the XI (su01), SLD and in the Exchange Profile (com.sap.aii.rwb.serviceuser.pwd) the user is locked in the next minutes. Have somebody an idea, where i must change the password too?
Kind regards,
Markus

Hi Markus,
you can try the following actions:
- connect to http://<server>:<port>/useradmin, enter PIRWBUSER as logon name with the current password, and see if a password change is needed.
- if you are using ONE sld for two system, make sure that the 2 user (PIRWBUSER) have the same password.
Hope this help
Francesco

Locked due to incorrect logons ! (Lock 130)

users are being locked due to incorrect logon attempts, but the usual lock type of 128 for this type of error is not happening.
these users are being locked with 130.
when trying to replicate the problem using a test user on the same system, the account is locked with 128.
any thoughts?

Wolfgang Janzen wrote:>
> ... (and in some future release might no longer possible, due to the ABAP package concept which has become stricter with NetWeaver 7.10).
Thanks Wolfgang!
I have been curious for many months now and have also done some "advertising" with developers. All developers I know agree, but some would like to see it happen first...
We (over lunch etc) were speculating about the call stacks, repid etc and cprog were the main candidates.
Perhaps we were lost in the trees (and tables) and did not see the whole forest...
All people I respect consider this to be a step in the right direction, even if it creates some irritations...
I am sure that SDN can also help to sustainably overcome those irritations.
All the best for 2008 (and release ?) and thanks for all your insights and help to understand the system during 2007!
Kind regards,
Julius

Portal User Locked Hourly ..

Hi,
I have a very strange problem.
Since a password change of the portal user "Administrator", this account is locked hourly.
OS: W2k8
DB: MSSQL 2k8
SAP: Portal 7.00
User: Administrator (UME)
Portal IP: 192.168.1.1
responses.trc
[May 14, 2014 8:42:02 AM ] - 192.168.1.1 : POST /sld/cimom HTTP/1.1 401 1792
[May 14, 2014 8:42:02 AM ] - 192.168.1.1 : POST /sld/cimom HTTP/1.1 401 1792
[May 14, 2014 8:42:03 AM ] - 192.168.1.1 : POST /sld/cimom HTTP/1.1 401 1792
[May 14, 2014 8:42:03 AM ] - 192.168.1.1 : POST /sld/cimom HTTP/1.1 401 1792
[May 14, 2014 9:42:01 AM ] - 192.168.1.1 : POST /sld/cimom HTTP/1.1 401 1792
[May 14, 2014 9:42:01 AM ] - 192.168.1.1 : POST /sld/cimom HTTP/1.1 401 1792
[May 14, 2014 9:42:01 AM ] - 192.168.1.1 : POST /sld/cimom HTTP/1.1 401 1792
[May 14, 2014 9:42:01 AM ] - 192.168.1.1 : POST /sld/cimom HTTP/1.1 401 1792
security.log
#1.5 #00155D11160300650000014F00000F000004F95827B00C09#1400056919503#/System/Security/Audit##com.sap.security.core.util.SecurityAudit#Guest#0#SAP J2EE Engine JTA Transaction : [045ffffffe5ffffff8e00ffffffcefffffffa]#n/a##9d0725f0db4311e3c01800155d111603#SAPEngine_Application_Thread[impl:3]_0##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest    | USERACCOUNT.MODIFY    | UACC.PRIVATE_DATASOURCE.un:Administrator    |     | SET_ATTRIBUTE: lastfailedlogon=[{0001400053321593} -> {0001400056919450}], SET_ATTRIBUTE: PRINCIPAL_MODIFY_DATE=[{0001400053367448} -> {0001400056919483}], SET_ATTRIBUTE: failedlogonattempts=[{0} -> {1}], SET_ATTRIBUTE: LAST_MODIFIED_BY=[{} -> {Guest}]#
#1.5 #00155D11160300650000015000000F000004F95827B03D0C#1400056919521#/System/Security/Authentication##com.sap.engine.services.security.authentication.logincontext#Guest#0##n/a##9d0725f0db4311e3c01800155d111603#SAPEngine_Application_Thread[impl:3]_0##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: sap.com/com.sap.lcr*sld
Login Module                                                                                                         Flag        Initialize Login      Commit     Abort      Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT ok          false                 true
2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          exception             true       Authentication did not succeed.
3. com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok                                true       #
#1.5 #00155D111603006F0000014100000F000004F95827B072ED#1400056919624#/System/Security/Audit##com.sap.security.core.util.SecurityAudit#Guest#0#SAP J2EE Engine JTA Transaction : [045ffffffe5ffffff8e00ffffffcf0]#n/a##9d199c80db4311e38ead00155d111603#SAPEngine_Application_Thread[impl:3]_4##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest    | USERACCOUNT.MODIFY    | UACC.PRIVATE_DATASOURCE.un:Administrator    |     | SET_ATTRIBUTE: LAST_MODIFIED_BY=[{} -> {Guest}], SET_ATTRIBUTE: PRINCIPAL_MODIFY_DATE=[{0001400056919483} -> {0001400056919606}], SET_ATTRIBUTE: lastfailedlogon=[{0001400056919450} -> {0001400056919576}], SET_ATTRIBUTE: failedlogonattempts=[{1} -> {2}]#
#1.5 #00155D111603006F0000014200000F000004F95827B0B823#1400056919654#/System/Security/Authentication##com.sap.engine.services.security.authentication.logincontext#Guest#0##n/a##9d199c80db4311e38ead00155d111603#SAPEngine_Application_Thread[impl:3]_4##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: sap.com/com.sap.lcr*sld
Login Module                                                               Flag        Initialize Login      Commit     Abort      Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT ok          false                 true
2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          exception             true       Authentication did not succeed.
3. com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok                                true       #
#1.5 #00155D111603006A0000019C00000F000004F95827B45A12#1400056920281#/System/Security/Audit##com.sap.security.core.util.SecurityAudit#Guest#0#SAP J2EE Engine JTA Transaction : [045ffffffe5ffffff8e00ffffffcf7]#n/a##9d7ddc90db4311e3b8e200155d111603#SAPEngine_Application_Thread[impl:3]_19##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest    | USERACCOUNT.MODIFY    | UACC.PRIVATE_DATASOURCE.un:Administrator    |     | SET_ATTRIBUTE: PRINCIPAL_MODIFY_DATE=[{0001400056919606} -> {0001400056920260}], SET_ATTRIBUTE: failedlogonattempts=[{2} -> {3}], SET_ATTRIBUTE: LAST_MODIFIED_BY=[{} -> {Guest}], SET_ATTRIBUTE: lastfailedlogon=[{0001400056919576} -> {0001400056920224}]#
#1.5 #00155D111603006A0000019D00000F000004F95827B463A9#1400056920295#/System/Security/Authentication##com.sap.engine.services.security.authentication.logincontext#Guest#0##n/a##9d7ddc90db4311e3b8e200155d111603#SAPEngine_Application_Thread[impl:3]_19##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: sap.com/com.sap.lcr*sld
Login Module                                                               Flag        Initialize Login      Commit     Abort      Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT ok          false                 true
2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          exception             true       Authentication did not succeed.
3. com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok                                true       #
#1.5 #00155D111603005E000000FF00000F000004F95827B4A30A#1400056920413#/System/Security/Audit##com.sap.security.core.util.SecurityAudit#Guest#0#SAP J2EE Engine JTA Transaction : [045ffffffe5ffffff8e00ffffffcfd]#n/a##9d9200d0db4311e3a8cf00155d111603#SAPEngine_Application_Thread[impl:3]_24##0#0#Warning#1#com.sap.security.core.util.SecurityAudit#Plain###Guest    | USERACCOUNT.MODIFY    | UACC.PRIVATE_DATASOURCE.un:Administrator    |     | SET_ATTRIBUTE: lastfailedlogon=[{0001400056920224} -> {0001400056920362}], SET_ATTRIBUTE: LAST_MODIFIED_BY=[{} -> {Guest}], SET_ATTRIBUTE: failedlogonattempts=[{3} -> {4}], SET_ATTRIBUTE: PRINCIPAL_MODIFY_DATE=[{0001400056920260} -> {0001400056920395}]#
#1.5 #00155D111603005E0000010000000F000004F95827B4AB21#1400056920424#/System/Security/Authentication##com.sap.engine.services.security.authentication.logincontext#Guest#0##n/a##9d9200d0db4311e3a8cf00155d111603#SAPEngine_Application_Thread[impl:3]_24##0#0#Info#1#com.sap.engine.services.security.authentication.logincontext#Plain###LOGIN.FAILED
User: N/A
Authentication Stack: sap.com/com.sap.lcr*sld
Login Module                                                               Flag        Initialize Login      Commit     Abort      Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT ok          false                 true
2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          exception             true       Authentication did not succeed.
3. com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok                                true       #
Normaly that means that the CIM Client is not correctly configured, but the SLD runs over the SolMan (7.1) and in the VisualAdmin > Server > Services > SLD Data Supplier
HTTP Settings and CIM Client Settings are set to the SolMan host and uses the SLDDSUSER to sync the data with the SLD.
Does anyone have an idea what process will connect hourly to the portal where the Administrator is set as user?
I've been searching and reading the now for over two days on the SCN and the web, but I didn't figured it out.
It looks like the portal itselfs want to connect to the local /sld/cimom but the SLD of the portal is still stopped, and also if its running, I get the same error every hour.
Thanks for any advise!
Tobias

Hi Tobias,
Please do the following once, if possible.
1. Please change the password of administrator user and save the password in secure store and recycle the system.
2. You may create a user with equivalent access/permission like administrator temporarily, until this problem is resolved, so that you can unlock the administrator logging in with that id.
3. Please check if that administrator is being used in any connection from java stack, where the password is still old.
4. Attach the default trace here at the time when the user is getting locked. We want to check further.
5. You can follow what David advised in the SAP note, if you can identify the real cause, otherwise follow the above steps.
Thanks.
Regards,
Sujit Kumar Banerjee.

Continuous Portal User Locking

Hi Experts
We are experiencing a problem where the Portal Users are continuously locking themselves when accessing Travel Management.
There doesn't seem to be any valid reason for this and we can't even replicate the problem consistently to try and determine where the problem may lie.
Has anybody else experienced this?
Is there maybe a SAP Note that I can't find which may fix the problem?
Any help and advice will be appreciated, thanks.
Anton

Hi Anton
Our developers corrected the application with OSS note 1466697 for WD ABAP with application of "dirty flag" but there were rendering corrections released for work protect mode - "work protect JS" in the new UR library
1543743
1543744
I'm not WD ABAP expert but I believe this works using wdr_test_portal_workprotect - I searched for similar issue and one other thing to check is the following as otherwise not adhering to following rules can cause issue with locking and navigation.
- Both, the Portal URL and the Web Dynpro ABAP URL need to be URLs with
a fully qualified domain name, ending with a common part of the fully
qualified domain name.
Fully Qualified Domain Names (FQDN): http://help.sap.
com/saphelp_nw70/helpdata/EN/67/be9442572e1231e10000000a1550b0/frameset.
htm
- Web Dynpro ABAP is integrated in a Web Dynpro ABAP iView, and must not
be integrated in a URL iView
Creating Web Dynpro ABAP iViews: http://help.sap.
com/saphelp_nw70/helpdata/EN/1d/e4a34273f60b31e10000000a1550b0/frameset.
htm

Unlock specified users which locked due to incorrect logon automatically

Hi experts, All users will be locked if he logon incorrectly 3 times in our system now and unlocked in the midnight.
Can I unlock some specified users automatically in specified time I set or is there any method to exclude these specified users to be locked even logon incorrectly 3 times ?
Best wishes,
Evan

>
Rao Evan wrote:
> Hi Alex, thank you for your reply, it seems there is no normal method to do it. Maybe I need ABAPer to help solve it.
>
> Best wishes,
>
> Evan
Hi Evan,
Alex is right: it's worth to clarify (with the auditors) which system behavior is desired before taking any action (in terms of coding). Let me guess: those "special" users are belonging to the "upper management" user group ... - they just don't like the feeling of being "locked out" (even if it was their own fault not to memorize the password). Unfortenately, exactly those users are critical and potentially subject of password attacks (since they are equipped with powerful authorizations).
Maybe it would sense to convince the management to invest in smardcards (at least for that special user group). Using a non-password based user authentication mechanism eliminates the risk of undesired password locks - without imposing other (even greater) risks.
If you still want to implement such automatic unlocking (despite the advice given above) you should write your own tiny ABAP report which then submits function calls to BAPI_USER_UNLOCK and schedule a periodic background job for that report.
Cheers, Wolfgang

DDIC and SAP* locked due to bad logins

Hi!
I'm setting up a WAS 7.0/CRM5.1 system and have encountered som problems.
My DDIC and SAP* users have been locked in both the production client and the 000 client.
I found a note on how to solve this and that was to delete the SAP* from the USR02 table. Then the password would be PASS and I would be able to log on.
I deleted the SAP* user from client 000, but I stil can't log on! Should the user be deleted in the other clients as well or have I done something bad?
regards
rollo

- enter oslevel as user <sid>adm of ora<sid>
- on oracle use e.g. sqlplus, connect as sapr3 (resp. sap<SID) and enter delete from usr02 where mandt = '000' and bname = 'SAP*'; then commit;
- as of WebAs 7.0 it's forbidden by default to logon as SAP* so you also have to set profile parameter and restart the system.
see also SAP note <a href="https://websmp201.sap-ag.de/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=68048&_NLANG=E">68048</a> and <a href="https://websmp230.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=0000862989&nlang=E">862989</a>

Portal User Locked

Hi Paul,
I have the same problem as reported by Vikas. I have a user called "test2" who is locked out due to login failures.
When I click on the link you have provided to get more info, I get the "Server not found" message. Could you please forward me the information ?
Thanks
-Virinder.

Hi Paul,
Thanks for the input. I ran the ssounlck.sql script but I cannot still login. I get the message "Your username has been locked out from this IP address".
Here are my settings from Login Server's Account Lock Policy:
Global lockout duration: 1 days
Lockout duration for one IP address: 15 mins
Single Sign-On session duration: 24 hrs
Do I have to change these settings to see the unlocking taking place today ? Also, what if I want the Global lockout duration to be less than 1 day ?
Thanks for your help,
-Virinder.

Aultomatic User Locks due to no activity/no logins

Hi All,
I am on version 4.6C. I am looking for a way to lock users automatically if they don't logon for a period of lets say 90 days. I want to know if there is a way, preferably a system parameter which can do this for me?If not is there any standard way to automate this?
Best Wishes,
CP

I think it depends on your version. My NetWeaver 2004 miniSAP has a parameter called "login/password_max_idle_productive". According to [SAPhelp|http://help.sap.com/saphelp_nw2004s/helpdata/en/22/41c43ac23cef2fe10000000a114084/frameset.htm] this is available after SAP NetWeaver 6.40.
So basically upgrading is a way to automate this Or bespoke programming like Sneha suggested.

User locking due to failed login attempts.

Hi,
Is there any way to find out the terminal name from which failed attempts made causing locking of user name?
With Best Regards,
Rajkumar

Hi Rajkumar
I tries if the statistics of transaction STAD show the terminal id, too. However, when experimenting with this it seems to be the case that the terminal ID is only available if you are already authenticated at the system. Therefore, only the Security Audit Log with transaction SM19 and SM20 would log the required information.
Kind regards
Frank

Admin. user locked report

Dear All,
Its by mistake consultant locked and unlocked all users in wrong client,i would like to know list users with Adminstrator lock set till perticular date were uncloked.

Ramesh,
What you need to concentrate here is on change documents. To see what time the account locked / update. Do they match. if so then something wrong with program /or the methods you are using to update it.
from transaction SUIM > user > With incorrect logon attempts
you can monitor :
- Number of incorrect logon attempts (users that are not locked)
- Users locked due to incorrect logon attempts
- Users locked by administration
- Users locked globally in the central system (if you are using CUA)
- Users locked locally and globally by the administration (if you are using CUA)
or by run report RSUSR006 via SE38
or
you can also check the the lock unlock status details in change log Tcode: SUIM
or the report "RSUSR002"and "RSUSR200"
Thanks,
Sri

How can I konw , Which computer name or IP Address make SAP User lock

Dear all,
I have one issues about SAP user lock,
Now I don't know which computer name or IP Address make user lock.
How can I check it or Can you tell me about the table that keep information about the ip address or computer name?
I can see the computer name when I use t-code al08 or sm04.
But I don't know the table that keep data from this t-code.
Pls suggest me for this issue.
Regards,
Pannee

In SM21
If you double click on the message "User XXXXX locked due to incorrect logon"
You'll see under details the name of the terminal
Terminal............ XXXXXXXXXXX
for IP address just ping the terminal.
Regards
Juan

User unlock due to Incorrect attempts

Hello Experts,
We are trying to implement a solution where password reset should also unlock users locked due to incorrect attempts in SAP. Is there a way in IDM to identify the lock type of a user
Best Regards,
Mohammed

Hi Mohammed,
Here is my solution, it works, but you will have to add additional task and script to check the status(as well, it will take longer).
Solution:
In your order task group 8. Set ABAP User password(SAP connectors) add additional task(as first task), that will read from SAP(read the islocked - flag(for user lock) and iswronglogon - flag(for password lock) from SAP) and store the data in some temporary table(sap_locked_temp_table....), as well when you are reading the data from SAP you can add a script to check the result and in case of SAP lock - islocked=L, to skip the next task(skip the password change for this system). Keep in mind that you will have to do this check for each system, so in your temporary table you have to keep not only the userid, but and the system in which the user is locked.
But if you want to unlock the password, without unlocking the user, it's not possible, as the flag iswronglogon doesn't work with ToSAP pass, you can only read it.
My solution works in case you want to unlock the password only if the user is unlocked.
BR,
Simona

WF-BTACH user locked in the Producation

Hi Experts,
In producation, wf-batch user locked due to some reasons for two days. Now we unlocked the user and all workflow's are working fine.
But the problem is, there are some 200 workflow's are triggered on the same two days. Most of those workflow's are hanged. All the background tasks in workflow's are having the status as 'Ready'.
We are not able fix this using transaction SWPR - continue workflow after error and SWPC. Because those are workflow's are listed in the above transaction.
Is there any way to restart those workflow's? there is no error in the workflow. Its just hanging in the middle.
Kindly help me on this.
Helps will be highly appreciated.
Thanks,
Nandini.

Hello Nandini !
You have stated that background tasks are in "READY" state.Check in the workflow log whether all the parameters are populated properly for those background tasks.If not, check any exceptions are thrown.The exception message should state why the background task is not in "COMPLETED" status.
Ensure why container values are not populated for those background tasks and enter the appropriate values to those containers in workflow log and execute the workflow from SWPR.
Regards,
S.Suresh

WAS Portal User locked - Due to bad logon

Similar Messages

Maybe you are looking for