07-26-2016 10:36 PM
A dialog user is being locked regularly and I cannot find how or from where. I have already checked logs, Gateway, rfc trace everything but I cannot find whom is locking the user.
sm20 shows something like this
07-27-2016 12:25 AM
did you check the logs in the connecting systems where the call is originating from?
07-27-2016 12:51 AM
If you don't get the source information in Security Audit Log, I would recommend you, as a second option, to enable the Gateway logging with Open RFC Connection option enabled, to monitor all the connections being performed against your system. Once you detect in SM20 the user was locked again, then go and check in Gateway logging for that specific time frame.
You should see something like this:
O Tue Jul 26 2016 20:47:47:636 open server connection (lu=<IP_ADDRESS>, addr=<IP_ADDRESS>, tp=sapdp00, type=R3_CLIENT)
If you correlate the time stamp of this type of event with the time stamp of the events in SM20 then you will find the source IP address, after that you can check who is the owner of that IP address.
07-27-2016 3:21 AM
Hello,
Check the RFC-connections pointing to the affected system for incorrect credentials.
SAP Notes 495911, 171805 will help you further.
Regards,
David
07-27-2016 5:00 AM
Hi,
I think, it comes from some sort of RFC logons, may be from external systems. With the old version of Kernel, all the details of RFC failures will not be logged in SM20. I would suggest you try to analyse it with a profile parameter "rfc/signon_error_log" (dynamically changeable, no restart is required). With this parameter, you can generate the short dump for RFC logon failure to analyse it further. Hope this may help you a bit. Refer the below note for more information.
91980 - Missing output of RFC short dump after login error
Regards,
Ganesan
07-27-2016 7:11 PM
Thanks everybody for your quick and helpfull answers. I don´t know whats's going on. I have checked dev_w0 and gateway trace file and SM20 transaction. I could match the user at the time it is being blocked looking at sm20 and dev_w0 . Nevertheless I couldn´t follow a convid from dev_w0 file to dev_rd file in order to identify the origin of the blocking session. Any idea ?
Thanks for your help.
DEV_W0
M Wed Jul 27 05:38:20 2016
M ***LOG US1=> Login, Wrong Password (TECBAPT ) [sign.c 4527]
M
M Wed Jul 27 05:40:03 2016
M
M *****************************************************************************
M *
M * LOCATION SAP-Gateway on host sapap1 / sapgw01
M * ERROR connection to partner 'loopback:0' broken
M *
M * TIME Wed Jul 27 05:40:03 2016
M * RELEASE 701
M * COMPONENT NI (network interface)
M * VERSION 38
M * RC -6
M * MODULE nixxi.cpp
M * LINE 4205
M * DETAIL NiIRead
M * SYSTEM CALL recv
M * COUNTER 96657
M *
M *****************************************************************************
M
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
SM20
sapap1|27.07.2016|03:38:19|TECBAPT| | |SAPMSSY1 |RFC/CPIC Logon Failed, Reason = 1, Type = R |
|sapap1|27.07.2016|04:38:19|TECBAPT| | |SAPMSSY1 |Password check failed for user TECBAPT in client 100 |
|sapap1|27.07.2016|04:38:19|TECBAPT| | |SAPMSSY1 |RFC/CPIC Logon Failed, Reason = 1, Type = R |
|sapap1|27.07.2016|05:38:20|TECBAPT| | |SAPMSSY1 |Password check failed for user TECBAPT in client 100 |
|sapap1|27.07.2016|05:38:20|TECBAPT| | |SAPMSSY1 |User TECBAPT Locked in Client 100 After Erroneous Password Checks
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
07-27-2016 11:44 PM
Hi,
Do you have any short dump for this logon failure in ST22? Is it possible for you to create the dump as i mentioned in my previous post as you are using the old Kernel patch of 701 release? We can have more information in short dump about this error. The information in SM20 and dev*.log is not enough to trace the root cause.
Regards,
Ganesan
07-29-2016 2:22 AM
Hello,
The explanation of this 'RFC/CPIC Logon Failed, Reason = 1, Type = R'
can be seen in the attached note 320991:
Reason 1 means -> Incorrect logon data (client, user name, password)
Hence, what is happening? The RFC call is being made using this user with incorrect logon data.
Unfortunately, there is no way to find which RFC is using it; you will have to perform a deep search on this system.
In such scenarios, if you cannot find the incorrect RFC being used, the recommendation is to create a copy of this user and use the copied user instead. Otherwise, the solution is to find the RFC with incorrect logon data and correct it.
Regards,
David
08-01-2016 2:01 PM
As David told you earlier already, you can use SAP note 171805 to find out, from where the RFC is coming from. There oyu have to check each connection then if it uses TECBAPT .
b.rgds Bernhard