ERROR:
1: During an (RFC) logon, the system displays the following text:
"You are not authorized to logon to the target system (error code...)"
with an error code number whose meaning is unclear to you.
2: You find the following unfamiliar lines in the developer trace file (dev_w..):
DyISigni: client=..., user=..., lang=... , access=..., auth=...
usrexist: effective authentification method: ....
DyISigni: return code=... (see Note 320991)
The extended trace messages (starting from trace level 2, for the "Security" component, you can activate them dynamically using transaction SM50) are available starting from the following kernel versions:
4.6D kernel starting from patch level 141
4.5B kernel starting from patch level 506
Explanation of the Error Codes/Return Codes
0 No error - successful logon
2 User account is locked
3 Incorrect logon data; for SAPGUI: connection closed
4 Successful logon using virtual user or emergency super user
5 Error when constructing the user buffer (==> possible follow-on error)
6 User exists only in the central user administration (CUA)
7 Invalid user type
8 User account outside validity period
9 SNC name and specified user/client do not match
10 Logon requires SNC (Secure Network Communication)
11 No ABAP user with this SNC name exists in the system
12 ACL entry for SNC-secured server-server link is missing
13 No suitable SAP account found for the SNC name
14 Ambiguous assignment of SNC names to ABAP users
15 Unencrypted SAP GUI connection refused
16 Unencrypted RFC connection refused
20 Logon using logon/assertion ticket is generally deactivated
21 Syntax error in received logon/assertion ticket or reentrance ticket not valid
22 Digital signature check for logon/assertion ticket fails
23 Logon ticket/assertion issuer is not in the ACL table
24 Logon/assertion ticket is no longer valid
25 Assertion ticket receiver is not the addressed recipient
26 Logon/assertion ticket contains no/an empty ABAP user ID
27 Reauthorization check: ticket does not match current user
28 Ticket logon denied by security policy
30 Logon using X.509 certificate is generally deactivated
31 Syntax error in the received X.509 certificate
32 X.509 certificate does not originate from the Internet Transaction Server
34 No suitable ABAP user found for the X.509 certificate
35 Ambiguous assignment of X.509 certificate to ABAP users
36 36 Certificate is older than the date entered as "min. date" (USREXTID)
37 X.509 certificate is not currently valid
41 No suitable ABAP user found for the external ID
42 Ambiguous assignment of external ID to ABAP users
50 Password logon was generally deactivated or denied by security policy
51 Initial password has not been used for too long
52 User does not have a password
53 Password lock active (too many failed logons)
54 Productive password has not been used for too long
60 SPNego logon denied by security policy
61 Invalid SPNego token (syntax)
62 NTLM token received instead of SPNego token
63 Missing/incorrect Kerberos keytab entry
64 Invalid SPNego token (time)
65 SPNego replay attack detected
66 SPNego: Error when creating the SNC name
67 SPNego: No suitable SAP account found for the SNC name
68 SPNego: Ambiguous assignment of SNC names to ABAP users
69 Reauthentication check: SPNego token does not match current user
100 Client does not exist
101 Client is currently locked for logons
102 External WebSocket RFC communication is not allowed (RFC runtime)
103 External WebSocket RFC communication requires alias user (RFC runtime)
104 System is in maintenance mode and locked against logons
110 Tenant was stopped (runlevel STOPPED)
111 Tenant cannot be used generally (runlevel ADMIN)
112 No authorization to log on to the current logon category
120 Server does not allow logon
121 No special rights for logon on this server
300-399 OpenID connect (OIDC) error; see SAP Note 3111813
1001 Password is initial/has expired - interactive change required (RFC/ICF)
1002 Trusted system logon failed (no S_RFCACL authorization)
3000 Reauthorization check: SAML bearer assertion is not compatible with current user
3001 Internal SAML bearer assertion verification error
3002 SAML bearer assertion could not be parsed
3003 SAML bearer assertion was already used (replay)
3004 SAML bearer assertion could not be assigned to a user
3005 Issuer of SAML bearer assertion is not trusted
3006 NameID format of SAML bearer assertion is not supported
3007 Signature of SAML bearer assertion is not valid
3008 SAML bearer assertion is not valid or is no longer valid
3009 SAML is not activated or SAML bearer assertion provider is not activated
Explanations for "access" (access types):
B Background processing (batch)
C CPIC
F RFC (as of 4.6C: internal RFC)
R RFC (as of 4.6C: external RFC)
I RFC system call (internal SRFC)
S RFC system call ( [external]* SRFC) - *see SAP Note 2590963
U User switch (internal call)
H HTTP
u Restore session (ABAP class CL_USERINFO_DATA_BINDING)
" " API call (such as SUSR_CHECK_LOGON_DATA)
M SMTP authentication (MTA): Password check
P ABAP push channel (APC)/WebSockets
E Establishment of a shared memory area (internal call)
O AutoABAP (internal call)
T Server startup procedure (internal call)
V SAP start service (internal call)
J Java Virtual Machine (internal call)
W BGRFC watchdog (internal call)
G ABAP Resource Manager (internal call)
r RFC via WebSockets (external)
Y TRFC/QRFC/bgRFC (internal)