Troubleshooting Single Sign-On

Provides troubleshooting information for problems that can occur when implementing single sign-on (SSO) for SAP enterprise information systems (EIS).

  • When testing, the error No suitable SAP user found for X.509-client certificate is logged on the client and SAP Mobile Server when testing SSO with an X.509 certificate on a mobile application client – during certificate generation, make sure that the user name under which the dbsrv12.exe process (SAP Mobile Server) runs, is the same as the user name who generates the credential (cred_v2) file. For example, in the Processes tab of Windows Task Manager, the User name under which dbsrv12.exe runs is SYSTEM. In this case a SYSTEM user must also generate the certificate.

    See this SAP Community Network link http://forums.sdn.sap.com/thread.jspa?threadID=1756876.

  • When testing, the error RFC_ERROR_LOGON_FAILURE: No suitable SAP user found for X.509-client certificate is logged on the client and SAP Mobile Server when testing SSO with an X.509 certificate on a mobile application client.
    1. If using X.509 certificate authentication, remove the JCo properties jco.client.passwd (Logon User) and jco.client.user (Password) defined for the SAP connection profile in SAP Control Center.
    2. Regenerate and redeploy the Hybrid App application and associated MBOs.
      Note: You need to remove the SAP connection properties from SAP Mobile WorkSpace.
  • Application login failures, authentication failures, and operation replay failure error messages – any of these failures may be caused by the user's password changing in the SAP server. In some cases, you may need to create new connection profiles.

    For security reasons, the exact nature of the login failure is not returned to the client. Look at the SAP Mobile Server log for details.

  • Using the createcert utility to create X.509 certificates to use in SSO testing – SAP Mobile Server includes a SQL Anywhere installation that includes the createcert utility for generating X.509 certificates.

    See Certificate Creation (createcert) Utility in System Administration, or the SQL Anywhere documentation for details.

  • Unexpected application behavior when you change credentials in an application – when you change a password in the client application, it changes only the password which is sent to the SAP server. To change the password that the SAP server accepts, change it at the EIS.

    You can import any valid certificate into the device's certificate store, but if the SAP server rejects it, an error is returned to the client.

  • SAP portal does not set SSO2 logon tickets – you need a note applied to the portal to get the HTTP challenge pop-up.

    Ask the basis team to apply note 1250795 to the portal server. See https://websmp230.sap-ag.de/sap/support/notes/1250795 (requires SAP domain login).

Parent topic: Troubleshoot Security, Logins, and Authentication