5 Replies Latest reply: Apr 21, 2009 11:11 AM by Julius von dem Bussche RSS

External RFC logon not possible when auth/rfc_authority_check is set to 9

Tamas Hegyi
Currently Being Moderated

Hello,

 

we have to logon via RFC to an ECC6 system where auth/rfc_authority_check is set to "9" but SAP gives 'RFCAPI_RFC_SYS_EXCEPTION:RFC_ERROR_SYSTEM_FAILURE' error. If this parameter is set to "1" then logon is ok. I checked Saphelp and Sapnotes but the documentation for this parameter is a little bit unclear. I tried to change authorizations but without success. Does anyone have experience with this topic?

 

Many thanks in advance for your help!

 

Tamá

 

  • Re: External RFC logon not possible when auth/rfc_authority_check is set to 9
    Julius von dem Bussche
    Currently Being Moderated

    This is probably caused by load balancing of your external RFC connections.

     

    If you want to use the "9" setting, public functions in function group SRFC will be required for authorization by the user -> and therefore will have to authenticate as well before your RFC scenario is calling it's function module.

     

    Is it an option for you to use a dedicated application server for the RFC scenario, and then point your connection data directly to the app server alias (network host name)?

     

    Either way, you will need to authorize the user for function group SRFC - so perhaps it is just that which is the problem?

     

    Cheers,

    Julius

    • Re: External RFC logon not possible when auth/rfc_authority_check is set to 9
      Tamas Hegyi
      Currently Being Moderated

      Hello Julius,

       

      thanks for your answer and sorry for the long delay.

      We have only one instance so I think load balancing cannot be a problem.

      I'd to set authorizations for SRFC but it didn't help. I try to include it here:

       

      Manually   Authorization Check for RFC Access

       

      Activity                       Execute

      Name of RFC to be protected    *

      Type of RFC object to be prote Function group

       

      And another version:

       

      Manually   Authorization Check for RFC Access

       

      Activity                       Execute

              +Name of RFC to be protected    RFCPING, RFC_SYSTEM_INFO, SYSTEM_RESET_RFC_SERVER

      Type of RFC object to be prote Function group

       

      The shortdump created when I try to logon is confusing, because it says that password is incorrect but this is not true. And it says that RFC is sent with invalid user "SAPCPIC".

       

      I do not really familiar with the RFC authorization concept maybe this caused the problem.

       

      Many thanks in advance if you can help me!

       

      Regards

       

      Tamá

       

      • Re: External RFC logon not possible when auth/rfc_authority_check is set to 9
        Julius von dem Bussche
        Currently Being Moderated

        >       Manually   Authorization Check for RFC Access

        >

        >         Activity                       Execute

        >         Name of RFC to be protected    *

        >         Type of RFC object to be prote Function group Try change this one to * as a test

         

        > And another version:

        >

        >       Manually   Authorization Check for RFC Access

        >

        >         Activity                       Execute

        >         +Name of RFC to be protected    RFCPING, RFC_SYSTEM_INFO, SYSTEM_RESET_RFC_SERVER

        >         Type of RFC object to be prote Function group Will not work. The above are function modules not function groups

         

        > The shortdump created when I try to logon is confusing, because it says that password is incorrect but this is not true. And it says that RFC is sent with invalid user "SAPCPIC".

        Which function are you calling and which client server (SDK?) are you using?

         

        Check the lock count (USR02-LOCNT) for your user (and SAPCPIC) and whether the user password is locked yet (USR02-UFLAG = 128)

         

        Cheers,

        Julius

        • Re: External RFC logon not possible when auth/rfc_authority_check is set to 9
          Tamas Hegyi
          Currently Being Moderated

          Hello Julius,

           

          I checked the SAPCPIC user and there are a few things I can't understand...

          The SAPCPIC user was not existing in the system but after I created it it was locked after the 3rd failed attempt. The strange thing is that on the other systems where auth/rfc_authority_check is not 9 this user is not needed and it was not needed when for testing we changed the parameter to 1 on the problematic system (with this change logon was ok).

           

          Authorizations are now set to:

           

          Manually   Cross-application Authorization Objects

           

          Manually   Authorization Check for RFC Access

           

          Manually   Authorization Check for RFC Access

           

          Activity                       Execute

          Name of RFC to be protected    SRFC

          Type of RFC object to be prote All values

           

          The program tries to call functions like RFC_SYSTEM_INFO - this is the first one.

           

          Best regards

           

          Tamá

           

          • Re: External RFC logon not possible when auth/rfc_authority_check is set to 9
            Julius von dem Bussche
            Currently Being Moderated

            SAPCPIC has a hardcoded password in a few ABAP programs and is excempted from some special authorization checks which still apply to other users...

             

            When you set this parameter to 9 any user (including SAPCPIC) will need to authenticate first when calling "public" functions (such as RFC_SYSTEM_INFO) and will sharpen the authority-checks on object S_RFC when the called function module calls another one outside of it's own function group using STARTING NEW TASK or via INTERNAL DESTINATIONs (most notably 'NONE').

             

            If there is no loss of functionality from SAPCPIC not existing or being locked by this setting, then you can ignore it or delete SAPCPIC as per SAP note 29276.

             

            You can also consider disabling the CPIC calls completely: param login/disable_cpic = 1.

             

            Cheers,

            Julius

Actions