SSO ticket expired - only thru Web Dynpro

Former Member · ‎12-20-2007

Hi,

I am getting "RFC_ERROR_LOGON_FAILURE: System received an expired SSO ticket" on all the Web Dynpro iviews.. SAP Transaction iviews etc. (for the same system) are working fine... I did a trace in the backend, and it said that the date on the SSO ticket was over 2 days old...! Where is this ticket coming from? My security session & SSO ticket expiry are the defaults (8 hours and 27 hours). I deleted all the sessions in SM04 and Visual Administrator but it keeps doing the same thing... the timestamp (according to the backend trace) is 200712180520 - thats over 2 days ago... Where (and why) is this ticket being cached, and only for the Web Dynpro connections?

Any help greatly appreciated!

Many thanks

Jane

We are on EP7 SP11. The trace is as follows:

dy_signi_ext: SSO TICKET logon (client 220)

mySAPUnwrapCookie: was called.

HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.

HmskiFindTicketInCache: Try to find ticket with cache key: 220:F1B937582416FDFDC3DFEFFDBE6FCC7C .

HmskiFindTicketInCache: Couldn't find ticket in ticket cache.

I don't need to ask RunningCompatibly to know: I'm >= 46C.

mySAP: Got the following SSF Params:

DN =CN=C11

EncrAlg=DES-CBC

Format =PKCS7

Toolkit =SAPSECULIB

HashAlg =SHA1

Profile =E:\usr\sap\RD2\DVEBMGS01\sec\SAPSYS.pse

PAB =E:\usr\sap\RD2\DVEBMGS01\sec\SAPSYS.pse

Got the codepage 1100.

Got ticket (head) AjExMDAgABBwb3J0YWw6bWFuYWdlcjAxiAATYmFz. Length = 492.

MskiValidateTicket returns 0.

Got content client = 000.

Got content sysid = PTD .

Got date 200712180520 from ticket.

Cur time = 200712200607.

Computing validity in hours.

Computing validity in minutes.

CurTime_t = 1198217220, CreTime_t = 1198041600

validity: 28800, difference: 175620.000.

ERROR => HMskiCheckValidity failed. [ssoxxkrn.c 856]

Former Member · ‎12-20-2007

Hi,

THis is very interesting... only one thing that i can think of is logon ticket itself may have expired.

Did you check the expiry of the logon ticket ??

Download the ticket from the keystore, store it on the desktop and if u open it, you can see the ticket validity.

Check if this validity period has expired..If so, create a new logon ticket Key storage service using VA.

But if you are saying your Transaction iViews are working .. then ticket must be valid.

Anyways ... just check ..

Cheers!!

Ashutosh

Edited by: Ashutosh Gulkhobre on Dec 20, 2007 3:36 PM

Former Member · ‎12-20-2007

Hi!

You can also check the difference in local time on your server and workstation. We had a similar problem in the past with our users located in Australia.

Please award points if helpful

Former Member · ‎12-20-2007

Thank you for your replies.

Ashutosh, I have checked the SSO certificate from the keystore and the expiry is set to 2027.

All servers & users are in the UK, I have checked the servers and workstation times and they are the same. Even with different time zones, the ticket that R/3 is receiving is over 2 days old - no time zones are that far apart!

Regards

Jane

Former Member · ‎12-21-2007

Hi!

You can try to change SSO ticket validity period. Please refer to http://help.sap.com/saphelp_nw04s/helpdata/en/45/18b6cfe1235d79e10000000a11466f/frameset.htm.

According to the log you provided, the time difference between portal and R/3 is around 49 hours (175620 sec.). You can set for example value 72 for the ticket validity period.

Also you can check R/3 system time. Logon to R/3 through SAP GUI. Choose System --> Status from the top menu. You can see system date (logon) and time.

dan_pfingsten2 · ‎03-06-2008

Was there a resolution to this? We are encounting the same issue. Any feedback would be appreciated!

Former Member · ‎06-24-2008

We have the same issue...Could you please share the resolution?

Former Member · ‎09-21-2009

Ravi,

Did you get a chance to resolve it.

If so, please update this thread with the solution.