SAP GUI logon Return Code
| Return Code | Error Message |
| 0 | No error – successful logon |
| 1 | Incorrect logon data (client / user name / password) |
| 2 | User account is locked |
| 3 | Incorrect logon data; for SAPGUI: connection closed |
| 4 | (Successful) Logon using emergency user SAP* (see SAP Note 2383) |
| 5 | Error when constructing the user buffer (==> possible follow-on error) |
| 6 | User exists only in the central user administration (CUA) |
| 7 | Invalid user type |
| 8 | User account outside validity period |
| 9 | SNC name and specified user/client do not match |
| 10 | Logon requires SNC (Secure Network Communication) |
| 11 | No ABAP user with this SNC name exists in the system |
| 12 | ACL entry for SNC-secured server-server link is missing |
| 13 | No suitable SAP account found for the SNC name |
| 14 | Ambiguous assignment of SNC names to ABAP users |
| 15 | Unencrypted SAP GUI connection refused |
| 16 | Unencrypted RFC connection refused |
| 20 | Logon using logon/assertion ticket is generally deactivated |
| 21 | Syntax error in received logon/assertion ticket or reentrance ticket not valid |
| 22 | Digital signature check for logon/assertion ticket fails |
| 23 | Logon ticket/assertion issuer is not in the ACL table |
| 24 | Logon/assertion ticket is no longer valid |
| 25 | Assertion ticket receiver is not the addressed recipient |
| 26 | Logon/assertion ticket contains no/an empty ABAP user ID |
| 27 | Reauthorization check: ticket does not match current user |
| 28 | Ticket logon denied by security policy |
| 30 | Logon using X.509 certificate is generally deactivated |
| 31 | Syntax error in the received X.509 certificate |
| 32 | X.509 certificate does not originate from the Internet Transaction Server |
| 34 | No suitable ABAP user found for the X.509 certificate |
| 35 | Ambiguous assignment of X.509 certificate to ABAP users |
| 36 | 36 Certificate is older than the date entered as “min. date” (USREXTID) |
| 41 | No suitable ABAP user found for the external ID |
| 42 | Ambiguous assignment of external ID to ABAP users |
| 50 | Password logon was generally deactivated or denied by security policy |
| 51 | Initial password has not been used for too long |
| 52 | User does not have a password |
| 53 | Password lock active (too many failed logons) |
| 54 | Productive password has not been used for too long |
| 60 | SPNego logon denied by security policy |
| 61 | Invalid SPNego token (syntax) |
| 62 | NTLM token received instead of SPNego token |
| 63 | Missing/incorrect Kerberos keytab entry |
| 64 | Invalid SPNego token (time) |
| 65 | SPNego replay attack detected |
| 66 | SPNego: Error when creating the SNC name |
| 67 | SPNego: No suitable SAP account found for the SNC name |
| 68 | SPNego: Ambiguous assignment of SNC names to ABAP users |
| 69 | Reauthentication check: SPNego token does not match current user |
| 100 | Client does not exist |
| 101 | Client is currently locked for logons |
| 102 | External WebSocket RFC communication is not allowed (RFC runtime) |
| 103 | External WebSocket RFC communication requires alias user (RFC runtime) |
| 104 | System is in maintenance mode and locked against logons |
| 110 | Tenant was stopped (runlevel STOPPED) |
| 111 | Tenant cannot be used generally (runlevel ADMIN) |
| 112 | No authorization to log on to the current logon category |
| 120 | Server does not allow logon |
| 121 | No special rights for logon on this server |
| 300-399 | OpenID connect (OIDC) error; see SAP Note 3111813 |
| 1001 | Password is initial/has expired – interactive change required (RFC/ICF) |
| 1002 | Trusted system logon failed (no S_RFCACL authorization) |
| 3000 | Reauthorization check: SAML bearer assertion is not compatible with current user |
| 3001 | Internal SAML bearer assertion verification error |
| 3002 | SAML bearer assertion could not be parsed |
| 3003 | SAML bearer assertion was already used (replay) |
| 3004 | SAML bearer assertion could not be assigned to a user |
| 3005 | Issuer of SAML bearer assertion is not trusted |
| 3006 | NameID format of SAML bearer assertion is not supported |
| 3007 | Signature of SAML bearer assertion is not valid |
| 3008 | SAML bearer assertion is not valid or is no longer valid |
| 3009 | SAML is not activated or SAML bearer assertion provider is not activated |
Explanations for “access” (access types):
| Return Code | Error Message |
| A | Dialog logon (SAP GUI) |
| B | Background processing (batch) |
| C | CPIC |
| F | RFC (as of 4.6C: internal RFC) |
| R | RFC (as of 4.6C: external RFC) |
| I | RFC system call (internal SRFC) |
| S | RFC system call ( [external]* SRFC) – *see SAP Note 2590963 |
| U | User switch (internal call) |
| H | HTTP |
| u | Restore session (ABAP class CL_USERINFO_DATA_BINDING) |
| ” “ | API call (such as SUSR_CHECK_LOGON_DATA) |
| M | SMTP authentication (MTA): Password check |
| P | ABAP push channel (APC)/WebSockets |
| E | Establishment of a shared memory area (internal call) |
| O | AutoABAP (internal call) |
| T | Server startup procedure (internal call) |
| V | SAP start service (internal call) |
| J | Java Virtual Machine (internal call) |
| W | BGRFC watchdog (internal call) |
| G | ABAP Resource Manager (internal call) |
| r | RFC via WebSockets (external) |
Explanations for “auth” (authentication types):
| Return Code | Error Message |
| P | Password-based authentication |
| T | Logon ticket |
| t | Assertion ticket |
| X | Certificate-based logon (X.509 / https) |
| S | SNC (Secure Network Communication) |
| R | Internal RFC or trusted system RFC |
| A | Internal call via background processing for example |
| E | External authentication (PAS / SAML / …) |
| U | Inverse user switch (ABAP class CL_USER_POC) |
| s | HTTP security session |
| 2 | SAML2 |
| 1 | SAML1 |
| o | OAuth2 |
| N | SPNego |
| a | APC session (WebSockets) |
| B | SAML bearer |
| r | Reentrance ticket |
| D | OIDC logon |
| d | OIDC bearer |
SAP相关产品:
SAP GRC权限合规检查系统(简称AMS-R系统)是SAP ERP应用企业进行权限合规检查、违规数据抓取和IT审计的理想工具。
AMS-V SAP License 资产优化管理系统产品:是应用于SAP系统权限风险控制及注册用户账号管理为目标的SAP软件资产精益化管理方案。
SAP 日志堡垒机安全管理系统(简称AMS-L系统)是一款面向SAP ERP 系统的网络安全管理工具,提供基于SAP系统用户业务行为的常态化监管,是对SAP现有日志体系的有效增强管理。
SAP 运维管理平台系统(简称AMS-Ops)旨在确保企业SAP应用系统健康、稳定运行的基础上,持续性的改进、优化,从而满足其业务发展需要的企业级SAP系统运维管理服务。
AMS SAP 商超订单统一管理系统以商超平台订单集中管理为核心,系统支持多平台、多店铺、全渠道系统采购订单、验收单、结算单等业务单据的统一管理;商超订单统一管理系统支持与 SAP ERP 系统的无缝衔接,在SAP ERP系统中自动生成销售订单、外向交货单,核对验收单、结算单等 SD 模块业务操作,有效的简化企业商超订单管理工作流程,保证订单数据处理的统一、准确、高效,实现跨系统、组织的协同管理,提升企业营销效率。
关于赛锐信息
河南赛锐信息科技有限公司(简称“赛锐信息”)是一家致力于SAP ERP系统应用的服务商,公司立足打造基于AMS产品套件的企业信息化解决方案,结合前沿技术追求最佳用户体验、企业信息化优秀解决方案和企业级产品应用的供应商。公司自主研发的AMS系列软件产品是国内首个用于SAP权限风险识别的增强系统,也是同行业用户精益化管理解决方案中最优的解决方案,作为用户管理、风险规避和信息审计的辅助工具,其有助于规范企业的管理行为,帮助建立合规的管控流程,有效提高企业IT资产投资回报率;AMS系列产品在各项技术指标上拥有完全的、独立的领先优势,可以满足市场竞争、技术许可和标准制定等方面的需要。
作者:SAP权限管理 QQ:2651000673
