cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAC & SMC (Marketing Cloud) Live connection fails: Error: invalid_grant, No user found with alias

MKreitlein
Active Contributor

on ‎10-22-2021 8:23 AM

Dear Community,

Me and a colleague have been investigating for weeks now, why the establishment of a Live data connection (SAPMKTNW) for the SAC Content of Marketing Cloud is not working... without a solution so far 😞

We've opened an incident for SAP but still, there is no explanation on the issue.... so we are seeking for other experts who successfully achieved this connection already.

What we did: We followed the whole documentation here:

https://help.sap.com/viewer/0f9408e4921e4ba3bb4a7a1f75f837a7/2108.500/en-US/3164d452b44440b1bffd2fc3...

All steps, except the last were executed successfully ... only when creating the Live connection, we receive error:

You are not authorized to query the remote system. Please ask your administrator to grant you the InA role

see: https://launchpad.support.sap.com/#/notes/2805974

So far, I nowhere found what exactly the InA role is - however my user in Marketing Cloud has basically any role - but this message is misleading, since the real error in Chrome Debugger is:

Error: invalid_grant: Provided authorization grant is invalid. Exception was No user found with alias 'myname@mycompany' (format: unspecified)


The strange thing is:

- We use the same Identity Provider for both, the SAC and the Marketing Cloud.

- If I open any of both URLs, for SAC and SMC and use the same login e-mail address in lower case letters and the same password, then I get access into both systems without any issue.

Our configuration in the IDP is like you can see the same:

Basically, it seems that not the communication user "SAC" - which is used in the SAC connection - is checked against the Marketing Cloud, but it is MY personal user, who is trying to establish the connection. Isn't this weird?

The SAP colleagues who worked on the incident checked all the Marketing Cloud settings we did, and obviously all entries we did are correct, since - if you ask me - the help guide could explain it better, like this:

The only thing which is not working is to enter my mail address in the SMC client directly:

Is there any setting in Marketing Cloud to enable that? My user contains my mail address so there is a relation between the IDP log in and forwarding to SMC. ... this is the last idea I have.

Any ideas of what to do or what to check are highly appreciated.

Thanks,

Martin

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (5)

Answers (5)

MKreitlein
Active Contributor
‎11-17-2021 12:22 PM

Dear all,

in the meanwhile we were able to solve our issue.

The settings in Marketing Cloud have already been correct ... the hint out of the blog, provided by Marc Dorais about the Audience helped as well.

The main issue was located in our IDP!

For SAC the login SAML attribute was e-mail, but Marketing Cloud is not able to handle e-mail.

So we had to change the login field to custom attribute, so that the login works via user id, which then is the same like in Marketing Cloud ... and voila, the connection can be established.

Unfotunately you never find that out via the "InA role is missing" error message 😞

The help page documentations / screenshots are not really valuable, since you can guess which entry is which.

And also in the Marketing Cloud, there should be some more validation steps, during setup in Communication system and scenario.

BR, Martin

Show replies
Show replies
JaySchwendemann
Active Contributor
‎11-29-2022 12:13 PM
0 Kudos

Hi Martin,

am I getting it right, that you did the following (amongst others) to make it work

  1. SAC: Select "Custom" in " Step 3: Choose a user attribute to map to your identity provider"
  2. SAC: Change the "SAML_USER_MAPPING" field to match Login ID in SMC, say from "me@example.com" to "me12345"
  3. In SMC you see "me12345" in the "user name" field

Another question, if I may: You seem to have harmonized your IdP to SAP IAS, so both SMC's and SAC's IdP is SAP IAS, correct? Did you (maybe later) switch away from that harmonization? The reason I'm asking is I already setup IdP for SAC to be MS Azure. I also have put SMC's IAS to federate so it will use MS Azure. In my book (that might be wrong) this should be enough to have SMC accept a SAML token issued for a user logged onto SAC?

Many thanks and Cheers

Jens

MKreitlein
Active Contributor
‎11-29-2022 3:30 PM

Hello jens.schwendemann

yes, basically you are right... we changed the SAML User Mapping from Mail to User ID, which must match between SAC and SMC to achieve the login.

As of now, no we did not yet switch away... but might be will again, since it was just for testing purposes of our Demo SAC.

After that we faced another issue during the BW Live login, which I described here and for which we still did not find the right solution:

https://answers.sap.com/questions/13598171/sac-bw-live-connection-with-saml2-shows-error-iola.html

I really don't understand why SAP created things like this so complicated 😞

10 or 15 years ago you had proper wizards, with which you could go through all steps and you knew in the end it would work.

Here you just get confusing error messages which do not reflect the root cause at all.

BR, Martin

marc_dorais
Advisor
Advisor
‎11-09-2021 9:35 PM

Hello Martin,
Perhaps you can check this blog with the most common issues when connection SAP Analytics Cloud with SAP Marketing Cloud
Best regards,
Marc

Show replies
Show replies
MKreitlein
Active Contributor
‎10-26-2021 7:14 AM
0 Kudos

Dear foekenm and abdullah.amerk

I went through the help pages again, to start looking for issues right from the beginning...

One thing came to my mind... this is the OAuth Client, which is created in SAC and used in SMC:

https://help.sap.com/viewer/00f68c2e08b941f081002fd3691d86a7/release/en-US/4f43b54398fc4acaa5efa32ba...

I'm wondering: In my SAC there is no choice for the lifetime of the Token. It is pre-defined as 1 hour and I cannot change it to blank, like described in this link.

Could this also be the or one problem?

We created the OAuth once and try the connection for weeks now with different settings, changes etc. but if this is valid only for one hour we would have to deleted that and create it before every new try, since you cannot edit the numbers, neither upon creation, nor afterwards:

Or would this have led to a different error later, and still the error 403 (invalid_grant) prevents this error from occuring?

I really wished the there were more explanations and specific "in app information" as on-mouse-over question marks, around all that SAC connections and not one straight-forward process description, where you are completely lost if it does not work at the very end (with an error message from past days).

PS: I found the source of the "InA role missing" error message - 4 years old - and nothing to do with S4, but pure HANA DB based:

Ensure the sap.bc.ina.service.v2.userRole::INA_USER role is assigned to all users who will use the live connection

https://www.sapanalytics.cloud/wp-content/uploads/2017/10/SAP-HANA.pdf

Show replies
Show replies
MKreitlein
Active Contributor
‎11-09-2021 6:43 AM
0 Kudos

I got feedback from SAP that the Lifetime token does not expire after 1 hour but after 30 days.

So if it takes longer than 30 days to create the connection, you should delete and recreate the OAuth client.

However I still did not find the error root cause, nor the solution 😞

Abd_Am_K
Advisor
Advisor
‎10-22-2021 10:51 AM
0 Kudos

Hi m.kreitlein,

I would check the following things in order to find a solution:

  1. Opening the SMC url and the SAC url in an incognito mode should redirect to the same idp for login. If not then this needs to fixed first.
  2. The Live connectivity user used in the connection information to connect from SAC to SMC should be correctly defined first in SMC and then used in SAC. If this is done and the connection isnt yet working, I would delete the user and the arrangment and create it again.
  3. The SAC user (not the live connection credential user) who is accessing the analytics content should have 1-1 user in smc which is managed via the IDP. The user in SMC should have the necessary analytics role assigned to him.

Hope this Helps.

Show replies
Show replies
MKreitlein
Active Contributor
‎10-22-2021 11:06 AM
0 Kudos

Hello Abdullah,

thanks for your reply.

No. 1) Yes, both direct to the same IDP and login works fine in both URLs on the IDP

No. 2) Yes, the connectivity user was created like described here: https://help.sap.com/viewer/0f9408e4921e4ba3bb4a7a1f75f837a7/2108.500/en-US/e8a1c509e0a046099624d3e9... and also used in the SAC connection creation window... obviously this is not used here, since the debugger tool states my mail address and not the SAC user (who has none).

No. 3) My user, with which I create the connection had initially this role in SMC: BR_ADMINISTRATOR ... now finally I have all available roles, but none states "ina":

BR_ADMINISTRATOR_DPR, BR_ADMINISTRATOR_MKT, BR_ANALYTICS_SPECIALIST, BR_BPC_EXPERT, BR_BPC_EXPERT_MKT, BR_BUSINESS_ANALYST_MKT, BR_CONF_EXPERT_BUS_NET_INT, BR_MARKETING_EXECUTIVE, BR_MARKETING_EXPERT, BR_MARKETING_MANAGER, BR_SALES_REP_MKT_INFO, SAP_BR_ADMINISTRATOR

What exactly is the role name in SMC which contains this InA access?

Thanks,

Martin

Abd_Am_K
Advisor
Advisor
‎10-22-2021 12:49 PM
0 Kudos

m.kreitlein the BR_ANALYTICS_SPECIALIST has the necessary Catalogs for InA (Information Access Protocol). You can test if you have access to the stories in the Analytics and Reporting Gallery App.

the only other option is to delete all the definitions you created for this integration and create them again. This was also recommended in the SAP NOTE. I also solved such an issue once by recreating everything.

mfoeken
Active Contributor
‎10-22-2021 9:42 AM
0 Kudos

Hi Martin,

Can you add the 'SAML Chrome Panel' extension to Chrome, make sure you allow the extension to be used in an incognito session and then login to SMC via SAML SSO?

Befor login please:

  • Open incognito session
  • Open developer tools in chrome
  • Switch to SAML tab
  • Browse to SAML SSO login of SMC

I'm curious to find out what the content of the SAML assertions from your IDP is. Does this match both how the user is defined in SAC and SMC?

Kind regards,

Martijn van Foeken | Interdobs

Show replies
Show replies
MKreitlein
Active Contributor
‎10-22-2021 9:59 AM
0 Kudos

Hello Martijn,

thanks a lot for your reply... here is the result.

I'm logging into the IDP and getting forwarded & logged in to the launchpad of the SMC

It seems there is also a forbidden error for some icons and it seems I cannot access the GetServerInfo ... is that a hint of a missing role? But then it would not be related to the email address...

Do you need one specific information?

BR, Martin

mfoeken
Active Contributor
‎10-22-2021 10:40 AM
0 Kudos

Hi Martin,

Are you able to reach the GetServerInfo url from the browser? Can you login and will it give a response? If not the INA role could be the one that is missing in the SMC config.

Kind regards,

Martijn van Foeken | Interdobs

MKreitlein
Active Contributor
‎10-22-2021 10:59 AM
0 Kudos

Hello Martijn,

no, I cannot reach it... if I enter the URL: https://myxxxxxxx.s4hana.ondemand.com/sap/es/ina/GetServerInfo

the result is: Error 403 - The request has been blocked by UCON

Is there a SU53 like on premise to check the missing rights?

In fact, there is no role with the name INA in it, available 😞

I found another document, stating the same role, but it looks like a direct HANA DB privilege here?!

sap.bc.ina.service.v2.userRole::INA_USER role is assigned to all users who will use the live connection

https://www.sapanalytics.cloud/wp-content/uploads/2017/10/SAP-HANA.pdf

BR, Martin

mfoeken
Active Contributor
‎10-26-2021 9:29 AM
0 Kudos

Hi Martin,

If the request is blocked by UCON it might have something to do with whitelisting. Did you do any configuration in transaction UCONCOCKPIT as part of the setup?

Kind regards,

Martijn van Foeken | Interdobs

Ask a Question