Check RSUSR003 report to identify if the passwords are trivial. If yes, they will display the standard passwords with which you can login.

-

Hi Raghu,

We don't know specifically what are the users that have set the standar passwords in which specific client, we need to change the passwords according to the recommendations of the EarlyWatch Alert.

We ran report RSUSR003 according to your recommendation but as result we are not receiving what are the specific users and client that have the standar passwords, we receivie the following result including the current configuration for some login* parameters.

Number of Selected Standard Users: 10

System:

BWI

Instance: ASSBWARCA02BF_BWO_00

User: support

Date: 11.11.2010

Time: 10:01:46

Selection Criteria:

+Display Profile Parameters X

Profile Parameters:

login/accept_sso2_ticket 1+

....

is there any way to check what are the users and their corresponding clients so we can update their password?

With regards to SNC, how can we know how to disable the configuration so we can connect to the client and change the password? Can you please let us know what is the parameter related with this configuration?

Thanks and kind regards

Hi,

RSUSR003 should work. When you execute the program, uncheck the checkbox which is for the profile parameters and click execute again, which will show the users and their status.

Regarding the SNC parameter, try snc/accept_insecure_gui. Set the option to 1 so that it will allow the users to login from GUI too. If this value is set to 0, users will be authenticated from SSO only.

Regards,

Raghu

Hi Raghu

Thanks for the information, can you please let us know if do we need to perform a reboot of the system once we set the parameter to 1? I'm checking and right now the parameter has been set with the value 'U'

Regarding the SNC parameter, try snc/accept_insecure_gui. Set the option to 1 so that it will allow the users to login from GUI too. If this value is set to 0, users will be authenticated from SSO only.

Thanks and best regards,

Hi,

Yes. The parameter changes require a system restart.

Also, just to clarify. Did you opted for SNC while creating the new entry in SAP Logon pad?? (The 2nd screen while adding a new system). You can check the same by selecting the item, click Change item button, and goto Network tab. If the SNC is checked, uncheck it and try logging in again.

If not, you have to go with the 1st option.

Warm Regards,

Raghu

Hi Rudolfo,

I think the issue could be with the saplogon pad than the user itself. I agree with Raghu. Please check that. I had a similar issue and this was with the saplogon pad entries only.

Hi Raghu

With regards to SAPGUI the SNC is not enabled in the Network tab, we'll try to change the recommended parameter and login using the standar SAP* user in client 066

Also, just to clarify. Did you opted for SNC while creating the new entry in SAP Logon pad??
 (The 2nd screen while adding a new system). You can check the same by selecting the item, 
click Change item button, and goto Network tab. If the SNC is checked, uncheck it and try logging in again.

With regards to SNC I was checking under SU01 -> <USER-ID> -> Display -> SNC -> SNC Name and I found all the users have included a string with the following information:

p:<DOMAIN>\<USER-ID>

I think this information could be related with the account they have created in the DOMAIN.

Thanks and regards,

Hi,

Don't you find an option to take SNC for that specific user in SNC? All the user SNC irelated nformation is maintained in table USRACLEXT. You may manually need to remove the SNC for the specific user by maintaining the table USRACLEXT from SM30.

Hope this helps!!

Rgds,

Raghu

Note that the logon data parameters of the BAPI are not documented and not released, so using them is actually just a trick and not a solution.

The ability to set a productive password for a dialog user came much later with IdM and to my knowledge is not a released BAPI either.

Anyway, I think we need to know how the system is configured first (globally as intention) before speculating about workarounds for individual use (cases).

@ OP: What are the snc* and login* parameter settings?

Cheers,

Julius

Yes, you are correct: As of 7.00 SP19 it is documented and released, but only for SNC protected callers who also have authority for user admin.

Generally, the correct approach is to delete SAP* and reboot the system for login/no_automatic_user_sapstar to become active.

Sometimes it is easier to recover a "lock out" once you are already on "the inside" and an admin(!) to use the search help for users in SM21 to find a user NE a standard one, and then transport (client independently) an authorization for trusted RFC into the system for a role already assigned (if not existing in authorizations already). Then set up an SM59 connection as "trusted" into the client for that user and perform a remote login (within the same SID -> to the logical system 066).

Tcode SNC1 is also of type report, so you could create a system variant and schedule it in Sm37 to map the SNC name for you to one of the users, if you have batch admin access.

Deleting SAP* should only really be necessary for lockout of all users in all clients with no SNC and no trust anywhere.

Cheers,

Julius

Hi Rohan,

The EARLYWATCH user ID comes with the installation and should be protected. Please check the link again:

The user EarlyWatch is delivered in client 066 and is protected using the password SUPPORT. The SAP EarlyWatch experts use this user which should not be deleted. Change the password. This user should only be used for EarlyWatch functions (monitoring and performance).

However, Using SNC with SAP GUI you'll always disable the (ABAP) password authentication; the ABAP system demands that the user is authenticated via SNC (SSO).

Hope this is helps!!

Rgds,

Raghu