Skip to Content
avatar image
Former Member

Administrator Account locked

hi,

in our Portal the Administrator Account gets locked every 2-3 hours. we also change the password in the secure store.

is there a chance to find out, why? a central log or something? i can't analyze every log, because we have 7 instances with each 4 servers.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Best Answer
    avatar image
    Former Member
    Dec 17, 2010 at 11:28 AM

    Hi,

    Had you maintained a constant pwd for the Administrator user for a long time and then change it? If this pwd was used for any RFCs or JCOs etc, then the pwd will get locked when the appln. that is using this pwd is called. A easier way to sort this problem will be to maintain the old password that was kept for a long time with all applications using it.

    Rgds,

    Soujanya

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Dec 17, 2010 at 11:29 AM

    Hi,

    check if you have used this user in some RFC's or SLD set-up. Check default trace for the error when your administrator accounts get locked.

    Thanks

    Sunny

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Dec 17, 2010 at 12:01 PM

    we have to change the password every 3 months. it's the first time we have this problem. before we didn't have the additional applikation server.

    i checked every rfc connection (at least the ones i know). none uses the administrator account.

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Andre

      If you check the security logs in j2ee/cluster/server<n>/log/system, when the user gets locked you will see log entries from the failed authentication attempt, and more information including hopefully the IP address of the machine where the request comes from, and the login module stack used during the authentication. Maybe this information will help isolate the origin of the invalid administrator password.

      An alternative approach, which is dependent on the version of the AS Java is to activate some tracing.

      There is a new trace location available for problems such as this - com.sap.security.core.locking

      You can get the info from this location by adding it to the Log Configurator service in the Visual Administrator if it is available, and adjusting the severity accordingly. Then examine the defaultTraces when the user gets locked

      However it is easier in this case to use the web diagtool. Follow note 1045019 to deploy the web diagtool, if not done before

      Then to start the trace, follow example 2 and add just com.sap.security.core.locking and start the trace. The potential problem here is that the diagtool will be running for 2-3 hours while you wait for the user to be locked, however hopefully by just tracing location com.sap.security.core.locking the resultant log will not be too large. The diagtool will capture traces from all servers in a system

      If the location is not available in the diagtool then perhaps it is not available for your system SP

      When the user is locked, hopefully the trace will give you information about the origin IP, the stack trace and the auth stack used

  • avatar image
    Former Member
    Dec 25, 2010 at 08:11 PM

    Hi

    First of all we need to confirm whether the user is getting locked by cummuncation from other systems or from the internal calls. To do this, the easiest method is to isolate the system from other systems. If the user is getting locked even then, then it is the internal call. You can goto the Configtool and Visual admin and check indivual properties if there is this user ID/password mainatined correctly everywhere or not.

    Thanks

    Javed

    Add comment
    10|10000 characters needed characters exceeded