Skip to Content
0
Former Member
Oct 11, 2011 at 07:38 PM

Unable to logon to BPC 10.0 from Excel Add-in Client - unauthorized

453 Views

Hello everyone,

I installed BPC 10.0 version for Netweaver and the EPM Add-in for Microsoft Office.

As part of BPC 10.0 post-installation, I configured SSO per note 817529. The

sso2test.htm BSP application to check the configuration was successful. I am not using HTTPS.

I installed the EPM Add-in for Microsoft Office. I performed the

prerequisites for creating local connection for BPC version for

Netweaver per the EPM Add-in for Microsoft Office installation guide.

Within Excel, I clicked the EPM tab and tried to create a logon

connection. However, I receive the following error:

The environment 'Environment Shell' is unavailable. You are not

authorized to connect.

Per note 495911, I did a trace analysis on the problem. The detailed

trace file output is below. I have reviewed note 320991 and verified that

the password for my logon id and for the service account are correct.

I have made various adjustments to the STRUSTSSO2 transaction; however the problem persists.

Does anyone have a suggestion as to how I can resolve the error? For this specific scenario, what are the steps required in STRUSTSSO2? I've seen the help files on SSL/SSO but the context involves SSO with portal or J2EE or another ABAP system, etc. This particular integration is with the EPM Add-in for Microsoft Office.

Kind regards,

Rex L. Farris

***DETAILED CONTENTS OF WORK PROCESS TRACE FILE ***

A Tue Oct 11 12:27:10 2011

A **GENER Trace switched off ***

*

  • ACTIVE TRACE LEVEL 2

  • ACTIVE TRACE COMPONENTS all, NJ

*

S Tue Oct 11 12:32:11 2011

S found spool memory service RSPO-ACTIONS at 0000000033C4A390

N Tue Oct 11 12:34:16 2011

N SAML-Trace: Starting SAML authentication for access to path: /sap/bpc/session

N SAML-Trace: Login methods list from ICF: AUTH_FIELD,AUTH_CERT,AUTH_SSO,AUTH_ASSERT,AUTH_BASIC,AUTH_SAP,AUTH_SAML,AUTH_SERVI

N SAML-Trace: Received configuration data:

N Tue Oct 11 12:34:17 2011

N dy_signi_ext: PASSWORD logon with ticket request

N DyISigni: client=100, user=BPCADMIN , lang=E, access=H, auth=P

N usrexist: effective authentification method: <client,username,password>

N chckpass: client=100, user=BPCADMIN , accesstype=H

N password logon is generally enabled (default)

N productive password is still valid (expiration period=0 / days gone=0)

N codvn=I => password is case-sensitive and up to 40 chars long

N chckpass: correct password

N Get_RefUser(100,BPCADMIN) =>

N password logon is generally enabled (default)

N productive password is still valid (expiration period=0 / days gone=0)

N password change not required (expiration period=0 / days gone=5)

N usrexist: update logon timestamp (M)

N save user time zone = > < into spa

N system default timezone for client >100< is: >EST <

M SecAudit(rsauinit): WP attached to existing shared memory.

M SecAudit(RsauShmInit): addr of SHM for Audit.. = 0000000002A20050

M SecAudit(RsauShmInit): addr of RSAUSHM........ = 0000000002A21050

M SecAudit(RsauShmInit): addr of RSAUSLOTINFO... = 0000000002A21660

M SecAudit(RsauShmInit): addr of RSAUSLOTS...... = 0000000002A21670

M SecAudit(check_daily_file): audit file opened E:\usr\sap\PC1\DVEBMGS00\log\20111011.AUD

N DyISignR: return code=0 (see note 320991)

N mySAPWrapTicket was called.

N Got Codepage 4103 for ticket creation.

N mySAP: Got the following SSF Params:

N DN =CN=PC1

N EncrAlg =DES-CBC

N Format =PKCS7

N Toolkit =SAPSECULIB

N HashAlg =SHA1

N Profile =E:\usr\sap\PC1\DVEBMGS00\sec\SAPSYS.pse

N PAB =E:\usr\sap\PC1\DVEBMGS00\sec\SAPSYS.pse

N login/create_sso2_ticket = 2 found. No certificates included in signature.

N Added client 100 and sysid PC1 to ticket contents.

N Added date 201110111634 to ticket contents.

N Ticket expiration time 8:00 found.

N Got user BPCADMIN for ticket creation.

N mySAPWrapTicket: Trying to insert newly created ticket into ticket cache.

N HmskiInsertTicketInCache: Trying to insert logon ticket in ticket cache.

N HmskiInsertTicketInCache: Inserted new ticket into logon ticket cache with cache key: 100:80E1958737F9600069E2206029DA90D9 .

N HmskiInsertTicketInCache: Inserted new ticket into logon ticket cache with cache info: <USER>=BPCADMIN ,<CLIENT>=100,<LANGUAGE>=E .

N mySAPWrapTicket returns 0.

N dy_signi_ext: ticket created (480 chars)

N Tue Oct 11 12:34:18 2011

N ==> krn_Base64_Decode()

N <== krn_Base64_Decode()==0 (SSF_KRN_OK)

N ==> krn_Base64_Decode()

N <== krn_Base64_Decode()==0 (SSF_KRN_OK)

N Tue Oct 11 12:34:19 2011

N InternetUserLogon called in testmode => 'authenticate-only'

N dy_signi_ext: LOGON TICKET logon (client 000)

N mySAPUnwrapTicket: was called.

N HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.

N HmskiFindTicketInCache: Try to find ticket with cache key: 000:80E1958737F9600069E2206029DA90D9 .

N HmskiFindTicketInCache: Couldn't find ticket in ticket cache.

N mySAP: Got the following SSF Params:

N DN =CN=PC1

N EncrAlg =DES-CBC

N Format =PKCS7

N Toolkit =SAPSECULIB

N HashAlg =SHA1

N Profile =E:\usr\sap\PC1\DVEBMGS00\sec\SAPSYS.pse

N PAB =E:\usr\sap\PC1\DVEBMGS00\sec\SAPSYS.pse

N Got the codepage 4103.

N Got ticket (head) AjQxMDMBABhCAFAAQwBBAEQATQBJAE4AIAAgACAA. Length = 480.

N MskiValidateTicket returns 0.

N Got content client = 100.

N Got content sysid = PC1 .

N Got date 201110111634 from ticket.

N Cur time = 201110111634.

N Computing validity in hours.

N Computing validity in minutes.

N CurTime_t = 1318437240, CreTime_t = 1318437240

N validity: 28800, difference: 0.000.

N Ticket is without recipient information.

N HmskiInsertTicketInCache: Trying to insert logon ticket in ticket cache.

N HmskiInsertTicketInCache: Inserted new ticket into logon ticket cache with cache key: 000:80E1958737F9600069E2206029DA90D9 .

N HmskiInsertTicketInCache: Inserted new ticket into logon ticket cache with cache info: <USER>=BPCADMIN ,<CLIENT>=100,<LANGUAGE>=E .

N mySAPUnwrapTicket returns 0.

N dy_signi_ext: valid ticket with RFC ticket

N dy_signi_ext: ab_RfcValidateSSOInfo() rc=0

N DyISigni: client=000, user=BPCADMIN , lang=E, access=U, auth=T

N DyISigni: return code=1 (see note 320991)

N DyISigni: client=100, user=BPCADMIN , lang=E, access=H, auth=s

N usrexist: effective authentification method: HTTP Security Session

N Get_RefUser(100,BPCADMIN) =>

N password logon is generally enabled (default)

N productive password is still valid (expiration period=0 / days gone=0)

N password change not required (expiration period=0 / days gone=5)

N save user time zone = > < into spa

N system default timezone for client >100< is: >EST <

N DyISignR: return code=0 (see note 320991)

N ==> krn_Base64_Decode()

N <== krn_Base64_Decode()==0 (SSF_KRN_OK)

N ==> krn_Base64_Decode()

N <== krn_Base64_Decode()==0 (SSF_KRN_OK)

N InternetUserLogon called in testmode => 'authenticate-only'

N dy_signi_ext: LOGON TICKET logon (client 000)

N mySAPUnwrapTicket: was called.

N HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.

N HmskiFindTicketInCache: Try to find ticket with cache key: 000:80E1958737F9600069E2206029DA90D9 .

N HmskiFindTicketInCache: Logon ticket found in ticket cache.

N HmskiFindTicketInCache: Ticket information in ticket cache is: <USER>=BPCADMIN ,<CLIENT>=100,<LANGUAGE>=E

N HmskiFindTicketInCache: Ticket information in ticket cache read successfully.

N DyISigni: client=000, user=BPCADMIN , lang=E, access=U, auth=T

N DyISigni: return code=1 (see note 320991)

N DyISigni: client=100, user=BPCADMIN , lang=E, access=H, auth=s

N usrexist: effective authentification method: HTTP Security Session

N Get_RefUser(100,BPCADMIN) =>

N password logon is generally enabled (default)

N productive password is still valid (expiration period=0 / days gone=0)

N password change not required (expiration period=0 / days gone=5)

N save user time zone = > < into spa

N system default timezone for client >100< is: >EST <

N DyISignR: return code=0 (see note 320991)

N ==> krn_Base64_Decode()

N <== krn_Base64_Decode()==0 (SSF_KRN_OK)

N ==> krn_Base64_Decode()

N <== krn_Base64_Decode()==0 (SSF_KRN_OK)

N Tue Oct 11 12:34:20 2011

N InternetUserLogon called in testmode => 'authenticate-only'

N dy_signi_ext: LOGON TICKET logon (client 000)

N mySAPUnwrapTicket: was called.

N HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.

N HmskiFindTicketInCache: Try to find ticket with cache key: 000:80E1958737F9600069E2206029DA90D9 .

N HmskiFindTicketInCache: Logon ticket found in ticket cache.

N HmskiFindTicketInCache: Ticket information in ticket cache is: <USER>=BPCADMIN ,<CLIENT>=100,<LANGUAGE>=E

N HmskiFindTicketInCache: Ticket information in ticket cache read successfully.

N DyISigni: client=000, user=BPCADMIN , lang=E, access=U, auth=T

N DyISigni: return code=1 (see note 320991)

N DyISigni: client=100, user=BPCADMIN , lang=E, access=H, auth=s

N usrexist: effective authentification method: HTTP Security Session

N Get_RefUser(100,BPCADMIN) =>

N password logon is generally enabled (default)

N productive password is still valid (expiration period=0 / days gone=0)

N password change not required (expiration period=0 / days gone=5)

N save user time zone = > < into spa

N system default timezone for client >100< is: >EST <

N DyISignR: return code=0 (see note 320991)

N ==> krn_Base64_Decode()

N <== krn_Base64_Decode()==0 (SSF_KRN_OK)

N ==> krn_Base64_Decode()

N <== krn_Base64_Decode()==0 (SSF_KRN_OK)

Edited by: Rex Farris on Oct 11, 2011 9:38 PM