cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

"The security token could not be authenticated or authorized" error when distributing from SAP ERP (Convergent Invoicing) to SAPCC

Go to solution
Former Member

on ‎02-13-2013 5:27 PM

0 Kudos

Hi,

we've installed SAP ERP6.0 EHP6 for Telco/Utilities (IS-UT 606) working with SAPCC3.0 in a Linux/Oracle platform.

Although we manage to send charged items from CC to CI as billable items, we are trying to complete the replication of business partners and contract accounts from CI to CC, for what we need to set up communication with SAP Convergent Charging via Web Services. In the particular case we're testing, we need to configure local ports for the consumer proxy CO_FKKCC_SUBSCRIBER_ACCOUNT.

Once we've done that, when we replicate the data to CC we come across with the error System Error When Calling SAP CC: The security token could not be authenticated or authorized. We have visibility of the wsdl from the ERP, and the logical port has been created based on that wsdl from the SOAMANAGER of the ERP. We have done different tests with different results:

- No user/password --> System Error When Calling SAP CC: An invalid security token was provided

- Valid SAPCC user --> System Error When Calling SAP CC: The security token could not be authenticated or authorized

- Invalid SAPCC user --> System Error When Calling SAP CC: The security token could not be authenticated or authorized

Taking into account that the error is the same regardless of the valid or invalid user, I'm wondering whether I need to use some kind of encryption/security settings in ERP, but I cannot find it. Any idea/direction with regards to that?

Config of our logical port:

Thanks. Raúl.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎02-14-2013 2:55 PM
0 Kudos

Solved. It turns out that:

- The WSuser must be assigned to a specific SAPCC catalogue (not option All catalogs).

- Unlike the security guide states, it is not only Process Manager role required, some other services require Batch Rating Administrator and Customer Sales Representative. We've added all roles except Administrator and User Administrator, just in case.

Regards. Raúl.

Show replies
Show replies
Former Member
‎10-11-2013 3:06 PM
0 Kudos

Hello Raúl.

It seems that you found a solution on your own a long time ago but here is some additional information in case you or someone reading this thread need more details regarding configuration of users in SAP CC.

As you mentioned, there is a SAP CC Security Guide that lists the roles a SAP CC user can be configured with. Here is the link for the version for CC 3.0: https://websmp203.sap-ag.de/~sapidb/011000358700001163352011E. Other versions can be found on help.sap.com.

First of all, it is better to set up users dedicated to web service calls. Each of these users must be defined with a default catalog whereas standard users that connects to the core tool can have access to all catalogs. For each web service call, the provided user token enables to derive the catalog defined for this user. This automatically enriched the request with a catalog name or a service provider name, depending on the kind of data accessed/created in SAP CC.

  • In order to consume web services that relates to product modelling (catalog WS) the user must have the role "marketing".
  • In order to create customer related data, such as subscriber accounts and contract, the user must have the role "customer sales representative".
  • To call some administration tasks (launch rating sessions, activate contracts) the user must have the role process manager.

The role administrator and user administrator must never be given to a user that is not in charge of system or user administration, as you mentioned. A user who has several roles provided is a critical combination and should be, if possible, avoided. Prefer several users with one role each.

Finally, regarding the issue you had: when a catalog is not defined, a generic error is returned "The security token could not be authenticated or authorized". Receiving this generic error does not help to debug the problem but the intention is not to provide information where the token is invalid. The administrator may get more information by checking invalid access to the platform in system logs.

Hope it helps. Regards,

Guillaume

former_member1132861
Member
‎07-03-2022 9:42 AM
0 Kudos

The problem appears to be that authentication now necessitates a UPN (user principal name / MSDN – User Name Formats) login as a result of ADFS's upgrade.

Solution: If you have an on-premises installation of Microsoft Dynamics CRM, you might need to install a new certificate on the server.

The answer is right here, exactly. https://kodlogs.net/193/id3242-the-security-token-could-not-be-authenticated-or-authorized

Answers (0)

Ask a Question