Sunday, July 17, 2011

How to analyze audit-information-system-ais-and-trace-error-logs-during-user-logon


Ever wondered what the error codes mean when analyzing your AIS  or trace logs? Here are some hints and how users or administrators should react to the messages:
1  Incorrect logon data (client, user name, password)
User: check the logon data entered (enter data again)
Admin: check the logon data for the service users, for example in the ITS service file
(usually wrong client) or in the RFC destinations
(usually wrong password)

2  User is locked (by administrator or on account of failed logons)

User: Contact user administrator / helpdesk
Admin: Release lock(s) (transaction SU01)
3  Incorrect logon data; for SAPGUI: connection closed
see 1
4  Logon using emergency user SAP* (refer to Note 2383)
User: no error – logon successful
Admin: deactivate the automatic user SAP* if necessary
(Note 68048)
5  Error when constructing the user buffer (==> possibly a follow-on error!)
User: Contact user administrator / helpdesk
Admin: solve technical problem (refer to Note 10187)
6  User only exists in the central user administration (CUA)
User: check the logon data entered (enter data again)
Admin: check settings for the central user administration
(refer to Note 159885)
7  Invalid user type
User: check the logon data entered (enter data again)
Admin: change user type (transaction SU01)
8  User account outside validity period
User: Contact user administrator / helpdesk
Admin: change validity period (transaction SU01)
9  SNC name and specified user/client do not match
User: check the logon data entered (enter data again)
Admin: change SNC assignment if necessary (transaction SU01)
10  Logon requires SNC (Secure Network Communication)
User: Contact system administrator / helpdesk
Admin: check SNC settings (refer to “SNC User’s Guide”)
11  No SAP user with this SNC identification in the system
User: Contact system administrator / helpdesk
Admin: if necessary, enhance or correct SNC name mapping ==> R/3 account (table USRACL(EXT))
(transaction SU01)
(see: SAPnet – http://service.sap.com/security:
-> Security in Detail -> Infrastructure Security:
“SNC User’s Guide”)
12  ACL entry for SNC-secured server-server link is missing
User: Contact system administrator / helpdesk
Admin: if necessary, enhance or correct SNC name mapping ==> access types (table SNCSYSACL)
(transaction SNC0).
This setting is necessary for
X.509 certificate logons, external IDs or
SNC-secured system-system links (RFC)
(see: SAPnet – http://service.sap.com/security:
-> Security in Detail -> Secure User Access -> Authentication & Single Sign-On:
“SNC User’s Guide” or
“X.509 Certificate Logon via the ITS”)
13  No suitable SAP account found for the SNC name
User: Contact system administrator / helpdesk
Admin:    see Section 11  (=> Note 650347)
14 Ambiguous assignment of SNC names to SAP accounts
User: Contact system administrator / helpdesk
Admin:    see Section 11  (=> Note 650347)
20  Logon using logon ticket is deactivated
User: Contact system administrator / helpdesk
Admin: Set profile parameter login/accept_sso2_ticket = 1
(Refer to Note 177895 – Technical Prerequisites)
21  Syntax error in the received logon ticket
User: Contact system administrator / helpdesk
Admin: analyze the error by trace (Level 2, only “Security” component)
contact the SAP Hotline if necessary (BC-SEC)
22  Digital signature check for logon ticket fails
User: Contact system administrator / helpdesk
Admin: analyze the error by trace (Level 2, only “Security” component)
check settings using transaction SS02,
(configuration error, refer to Note 177895),
contact SAP Hotline if necessary (BC-SEC-SSF)
23  Logon ticket issuer is not in the ACL table
User: Contact system administrator / helpdesk
Admin: analyze the error by trace (Level 2, only “Security” component)
check settings using transaction SS02
(configuration error, ACL table: TWPSSO2ACL,
see Note 177895)
24  Logon ticket is no longer valid
User: log on to the Workplace server (ticket issuer) again
Admin: extend the ticket validity period if necessary
(profile parameter login/ticket_expiration_time)
30  Logon using X.509 certificate is generally deactivated
User: Contact system administrator / helpdesk
Admin: set profile parameter snc/extid_login_diag = 1 if necessary
(see: SAPnet – http://service.sap.com/security:
-> Security in Detail -> Secure User Access -> Authentication & Single Sign-On:
“X.509 Certificate Logon via the ITS”)
31  Syntax error in the received X.509 certificate
User: Contact system administrator / helpdesk
Admin: analyze the error by trace (Level 2, only “Security” component)
contact SAP Hotline if necessary (BC-SEC-SSF)
32  X.509 certificate does not originate from the Internet Transaction Server
User: Contact system administrator / helpdesk
Admin: Check the configuration – this error is very rare,
analyze the error by trace (Level 2, only “Security” component)
contact the SAP Hotline if necessary (BC-SEC)
34  No appropriate SAP account found for the X.509 certificate
User: Contact system administrator / helpdesk
Admin: Check the X.509 certificate mapping ==> R/3-Account
(Table USREXTID, TYPE=DN using view VUSREXTID, SM30),
analyze the error by trace (Level 2, only “Security” component)
(display X.509 certificate contents).
(see: SAPnet – http://service.sap.com/security:
-> Security in Detail -> Secure User Access -> Authentication & Single Sign-On:
“X.509 Certificate Logon via the ITS”)

35  Ambiguous assignment of X.509 certificate to SAP account

User: Contact system administrator / helpdesk
Admin: Check the X.509 certificate mapping ==> R/3-Account
(as for error code 34), alternatively you can enter
USER=* as part of the logon process (RFC) and thereby force the mapping onto the
“selected” entry (No. 000).
41  No suitable SAP account found for the external ID
— analogous to error code 34, difference: different TYPE assignment
42  Ambiguous assignment of external ID to SAP accounts
— analogous to error code 35, difference: different TYPE assignment
50  Password logon is deactivated
User: contact system administrator / helpdesk or
use other logon variant (=> Single Sign-On)
Admin: see note 379081: Profile parameters
- login/disable_password_logon
- login/password_logon_usergroup
51  Initial password has not been used for too long
User: Contact user administrator / helpdesk
Admin:  assign new password (transaction SU01)
see note 379081: Profile parameters
- login/password_max_new_valid
- login/password_max_reset_valid
- login/password_max_idle_initial (from 7.00)
52  User does not have a password
User: Contact user administrator / helpdesk
Admin: assign new password (transaction SU01)
53  Password lock active (too many failed logons)
User: Contact user administrator / helpdesk
Admin:  release lock and assign new password if necessary
see note 939017: Distinction between types of locks
54  Productive password has not been used for too long
User: Contact user administrator / helpdesk
Admin:  assign new password (transaction SU01)
see note 862989: Profile parameter
- login/password_max_idle_productive
100  Client does not exist
User: check the logon data entered (enter data again)
Admin: check the logon data for the service users, for example in the ITS service file
or in the RFC destinations (client specification)
101  Client is currently locked for logons (upgrade running)
User: contact system administrator / helpdesk or
carry out logon at a later stage
Admin: See Note 12946.
1001 Password has expired – interactive change required (RFC/ICF)
User: Contact system administrator / helpdesk
Admin: set profile parameter rfc/reject_expired_passwd = 0 or
profile parameter icf/reject_expired_passwd = 0
(see Notes 161146 and 454962)

1 comment:

Unknown said...

I think its great that you have taken the time to post this information... SAP Basis Services