Purpose
Here at SAP Active Global Support (SAP AGS) we constantly receive issues from our customers related to Single Sign On (SSO) between the J2EE and the ABAPNetweaver stacks.
The purpose of this document is help in "PROACTIVELY" checking common SSO issues on the actual servers involved and list steps on further troubleshooting if the need arises.
Example Scenario
Lets say the configured Single Sign On (SSO) setup between SAP Portal and the R/3 system fails and you get a logon page.
Another example of an error would be that you test a portal system connection (Configure System Connection in SAP Enterprise Portal) and this fails with an SSO error:
Common SSO Error Scenarios and Checks
Some major SSO issue causes that we come across are mentioned below. Proactively checking the servers involved (both ABAP and J2EE) and comparing the below points will help in finding the root cause. This will help in faster resolution.
1)
Configure the SS0 settings again as per SAP note:1083421 as this will solve any inconsistencies on the server due to manual interventions.
More help:
http://wiki.sdn.sap.com/wiki/display/EP/Troubleshooting+SSO+between+AS-ABAP+and+AS-JAVA
2)
CheckSAP note 842635, especially for the parameters: login.ticket_lifetime and SessionExpirationPeriod. Set the expiration of the security session and SSO ticket timeout to the same value as recommended in the note:
"
Setting security session and SSO timeout
Please set the timeout value for the security sessions (default 27h) and the timeout value for the SSO ticket (default 8h) to the same value. It should be a value that is higher than the maximum working time of an employee, e.g. 16 hours.
"
3)
Do make sure that you are on the latest SAPJVM level so that the issues as mentioned in SAP Note: 1367871 do not occur.
4)
The client mentioned in the J2EE UME property login.ticket_client should be part of the TCode /nSTRUSTSSO2ACL (Access Control List) on the R/3 server.
There is a possibility that say the login.ticket_client is set to 000, which is already a value that is a client in the ABAP server. If so, SSO may not work cause client 000 is also available on the ABAP server as this can lead to inconsistencies. The only option here would be to change the login.ticket_client value to a client that is not present in the ABAP server (say 678) and restart the J2EE server. Then run the SSO2 wizard (as per SAP note:1083421) and this will update the strustsso2 table.
5)
The SSO enabling parameters should be set on the R/3 server. The parameters are login/accept_sso2_ticket and login/create_sso2_ticket. More info:
6)
Do see see SAP Note 1055856 which has more information on issues on the R/3 end.
7)
See SAP Note 1761987, point 7 and synchronize the ABAP and the J2EE server clocks. This will make sure that the ABAP and the J2EE servers have the same time as this can lead to issues with the validity of the cookie. You need to make sure that the J2EE and the ABAP server time zones are the same. You can change the timezone by setting the JVM parameter "-Duser.timezone=<desired timezone>" in ConfigTool. More help:
Time zone settings with SAP Process Integration - Process Integration - SCN Wiki
Further Troubleshooting
Say the above settings are all fine but the issue persists. Now it is time to delve deep into the server logs and investigate further. This is needed to narrow down the issue as to whether it is an ABAP server, J2ee, tickets, browser issue etc and help in an END TO END trace. The detailed steps are:
1)
Clear all the browser cache.
2)
Set the security trace level in the ticket accepting system (R/3 server)
======================================================
2.1. Call transaction SM50 (process list):
2.2. Process -> Trace -> Reset -> Workprocess Files
2.3. Key combination: F5 (select all), CTRL-Shift-F7 => Dialog box;
2.4. Set trace level=3 and ONLY(!) check the "Security" component;
If necessary, you must repeat these steps for each server (see transaction SM51), unless you can use a specific server for reproducing the error (for example, by excluding the load distribution).
======================================================
3)
Run the web diagtool as outlined in SAP Note 1045019 (example 1) if you are on SAP Netweaver release 6.40 or 7.00 or as per SAP Note 1332726 (incident "General Security") if you are on 7.1, 7,2, 7.3, 7.4 or 7.5 version. It will be ideal to run it on the server 0 (check SAP Note 1589567).
4)
While the diagtool is running, reproduce a failed SSO scenario to the backend.
5)
When the SSO fails, wait for a minute and then press return in the diagtool console so that the resulting traces are picked up.
6)
Check the diagtool traces and the ABAP workprocess traces for more details on the exact error. You can use the technique mentioned in How to search for specific error content in ABAP server logs and How to check logs for particular J2EE application issue to narrow down and pin point on the exact cause.
NOTE: If you are still uncertain after all the steps mentioned in this blog and the issue still persists, contact SAP Support / SDN and attach the below documents/logs:
-- The html Diagtool log
-- The J2EE server default traces
-- The /nSM50 trace
-- Step by step screenshots of error reproduction
-- the exact time at the issue was reproduced and the user ID involved.
-- The screenshots of the TCode /nSTRUSSSO2 and the ACL.