The following list is taken from SAP Note 320991 – Error codes during logon (list). You might want to refer to the https://itsiti.com/list-of-error-codes-during-sap-logon/ to see the SAP logon error codes list.
So, this article will share to you on how should users or user administrators react to the error messages (code numbers) described as in https://itsiti.com/list-of-error-codes-during-sap-logon/?
1 Incorrect logon data (client, user name, password)
User: Check the logon data entered (enter data again).
Admin: Check the logon data for the service users, for example, in SM59 destinations or ICF services.
2 User account is locked
User: Contact the user administrator/help desk.
Admin: Release the lock(s) (transaction SU01).
3 Incorrect logon data; for SAPGUI: connection closed
See point 1.
4 (Successful) Logon using emergency user SAP* (see SAP Note 2383)
User: No error – logon successful
Admin: Deactivate the automatic user SAP* if necessary (see SAP Note 68048).
5 Error when constructing the user buffer (==> possible follow-on error)
User: Contact the user administrator/help desk.
Admin: Solve the technical problem (see SAP Note 10187); this error is historical.
6 User only exists in the central user administration (CUA)
User: Check the logon data entered (enter data again).
Admin: Check the Central User Administration settings (see SAP Notes 159885 and 325213).
7 Invalid user type
User: Check the logon data entered (enter data again).
Admin: Change the user type (transaction SU01).
8 User account outside validity period
User: Contact the user administrator/help desk.
Admin: Change the validity period (transaction SU01).
9 SNC name and specified user/client do not match
User: Check the logon data entered (enter data again).
Admin: Change SNC assignment if necessary (transaction SU01).
10 Logon requires SNC (Secure Network Communication)
User: Contact the system administrator/help desk.
Admin: Check the SNC settings (refer to “SNC User’s Guide“).
11 No SAP user with this SNC identification exists in the system
User: Contact the system administrator/help desk.
Admin: If necessary, supplement or correct the mapping of the SNC name to the ABAP user (table USRACL(EXT)) in transaction SU01
(see: SAPnet – http://service.sap.com/security: -> Security in Detail -> Infrastructure Security: “SNC User’s Guide“)
12 ACL entry for SNC-secured server-server link is missing
User: Contact the system administrator/help desk.
Admin: If necessary, supplement or correct the mapping of the SNC name to the access types (table SNCSYSACL) in transaction SNC0.
This setting is necessary for X.509 certificate logon, external IDs, and SNC-secured system-to-system connections (RFC)
(see: SAPnet – http://service.sap.com/security: -> Security in Detail -> Secure User Access -> Authentication & Single Sign-On:
“SNC User’s Guide” and “X.509 Certificate Logon via the ITS”)
13 No suitable SAP account found for the SNC name
User: Contact the system administrator/help desk.
Admin: See point 11 (=> SAP Note 650347).
14 Ambiguous assignment of SNC names to ABAP users
User: Contact the system administrator/help desk.
Admin: See point 11 (=> SAP Note 650347).
15 Unencrypted SAP GUI connection refused
User: Check SAP GUI settings: Use SNC with the “Privacy protection” option
Admin: see SAP Note 1690662: Profile parameter snc/only_encrypted_gui was set to 1.
16: Unencrypted RFC connection refused
User: Check RFC connection settings: Use SNC with the “Privacy protection” option
Admin: see SAP Note 1690662: Profile parameter snc/only_encrypted_rfc was set a value greater than 0.
20 Logon using logon/assertion ticket is generally deactivated
User: Contact the system administrator/help desk.
Admin: Set profile parameter login/accept_sso2_ticket = 1
(refer to SAP Note 177895 – Technical Prerequisites).
21 Syntax error in the received logon/assertion ticket
User: Contact the system administrator/help desk.
Admin: Use the trace (level 2, only “Security” component) to analyze the error, contact the SAP Hotline (BC-SEC-LGN) if necessary.
22 Digital signature check for logon/assertion ticket fails
User: Contact the system administrator/help desk.
Admin: Use the trace (level 2, only “Security” component) to analyze the error, check the settings in transaction SSO2
(configuration error, see SAP Note 177895), if necessary, contact the SAP Hotline (BC-SEC-SSF)).
23 Logon ticket/assertion issuer is not in the ACL table
User: Contact the system administrator/help desk.
Admin: Use the trace (level 2, only “Security” component) to analyze the error, check the settings in transaction SSO2
(configuration error, ACL table: TWPSSO2ACL, see SAP Note 177895).
24 Logon/assertion ticket is no longer valid
User: Log onto the ticket-issuing system again, restart the browser if necessary.
Admin: Increase the ticket expiration time (profile parameter login/ticket_expiration_time).
25 Assertion ticket receiver is not the addressed recipient
See SAP Note 1080218 (point 5).
26 Ticket contains no/an empty ABAP user ID
See SAP Note 1159962.
30 Logon using X.509 certificate is generally deactivated
User: Contact the system administrator/help desk.
Admin: Set the profile parameter snc/extid_login_diag = 1 if necessary.
31 Syntax error in the received X.509 certificate
User: Contact the system administrator/help desk.
Admin: Use the trace (level 2, only “Security” component) to analyze the error, contact the SAP Hotline (BC-SEC-SSF) if necessary.
32 X.509 certificate does not originate from the Internet Transaction Server
User: Contact the system administrator/help desk.
Admin: Check the configuration – this error is extremely rare. Use the trace (level 2, only “Security” component) to analyze the error,
contact the SAP Hotline if necessary (BC-SEC-LGN).
34 No suitable ABAP user found for the X.509 certificate
User: Contact the system administrator/help desk.
Admin: Check the mapping of X.509 certificates to ABAP users.
(Table USREXTID, TYPE=DN using view VUSREXTID, SM30),
Use trace (level 2, only “Security” component) to analyze the error (display the X.509 certificate content).
Note: We recommend using rule-based certificate mapping (CERTRULE) as of SAP_BASIS 7.31;
a migration of legacy USREXTID mapping procedures (CERTRULE_MIG) is available.
35 Ambiguous assignment of X.509 certificate to ABAP users
User: Contact the system administrator/help desk.
Admin: Check the mapping of X.509 certificates to ABAP users (like error code 34).
Alternatively, you can use USER=* during the logon process (RFC) to force mapping
to the “selected” entry (No. 000).
Note: If you use rule-based certificate mapping (CERTRULE), this error can no longer occur.
36 Certificate is older than the date entered as “min. date” (USREXTID)
User: Contact the system administrator/help desk.
Admin: Check the mapping entry with transaction EXTID_DN.
(This function exists as of the kernel from SAP Note 1815228.)
41 No suitable ABAP user found for the external ID
— Like error code 34; difference: Other TYPE assignment (note: CERTRULE is not an option here)
42 Ambiguous assignment of external ID to ABAP users
— Like error code 35; difference: Other TYPE assignment (note: CERTRULE is not an option here)
50 Password logon was generally deactivated or denied by security policy
User: Contact the system administrator/help desk or use a different logon variant (=> single sign-on).
Admin: see SAP Note 379081: Profile parameters
– login/disable_password_logon
– login/password_logon_usergroup
Note: As of SAP_BASIS 7.31, security policy attributes (SECPOL) can be used instead of the profile parameters.
Security policies can be assigned to individual users (SU01).
51 Initial password has not been used for too long
User: Contact the user administrator/help desk.
Admin: Assign new password (transaction SU01).
See SAP Note 379081: Profile parameters
– login/password_max_new_valid
– login/password_max_reset_valid
– login/password_max_idle_initial (from 7.00)
Note: As of SAP_BASIS 7.31, security policy attributes (SECPOL) can be used instead of the profile parameters.
Security policies can be assigned to individual users (SU01).
52 User does not have a password
User: Contact the user administrator/help desk.
Admin: Assign new password (transaction SU01).
53 Password lock active (too many failed logons)
User: Contact the user administrator/help desk.
Admin: Release the lock and assign a new password if necessary.
(see SAP Note 939017: Distinction between types of locks)
54 Productive password has not been used for too long
User: Contact the user administrator/help desk.
Admin: Assign new password (transaction SU01).
(see SAP Note 862989: (profile parameter login/password_max_idle_productive)
Note: As of SAP_BASIS 7.31, security policy attributes (SECPOL) can be used instead of the profile parameters.
Security policies can be assigned to individual users (SU01).
60 SPNego logon denied by security policy
User: Contact the user administrator/help desk.
Admin: Assign a different security policy to the user (SU01) or change the assigned security policy (SECPOL).
61 Invalid SPNego token (syntax)
User: Contact the user administrator/help desk.
Admin: Perform a trace analysis as described in SAP Note 495911 or 1732610 (report SEC_TRACE_ANALYZER).
62 NTLM token received instead of SPNego token
User: Contact the user administrator/help desk.
Admin: See SAP Note 1732610, point 3.2.3 (recommendation: refer to SAP Note 2010613 for checking the AD configuration)
63 Missing/incorrect Kerberos keytab entry
User: Contact the user administrator/help desk.
Admin: See SAP Note 1732610, point 3.2.6
64 Invalid SPNego token (time)
User: Contact the user administrator/help desk.
Admin: See SAP Note 1732610, point 3.2.4
65 SPNego replay attack detected
User: Contact the user administrator/help desk.
Admin: See SAP Note 1732610, point 3.2.8
66 SPNego: Error when creating the SNC name
User: Contact the user administrator/help desk.
Admin: See SAP Note 1732610, point 3.2.11 (SNC is not active or Kerberos UPN is too long).
67 SPNego: No suitable SAP account found for the SNC name
User: Contact user administrator/help desk
Admin: See SAP Note 1732610, point 3.2.9.
68 SPNego: Ambiguous assignment of SNC names to ABAP users
User: Contact user administrator/help desk
Admin: See SAP Note 1732610, point 3.2.10.
100 Client does not exist
User: Check the logon data entered (enter data again).
Admin: Check the logon data for service users, for example, in RFC destinations (client specification).
101 Client is currently locked for logons
User: Contact the system administrator/help desk or attempt logon again at a later time.
Admin: Check whether a client copy/import/export is still running.
102 External WebSocket RFC communication is not allowed (RFC runtime)
User: Contact the system administrator/help desk.
Admin: Check rfc/websocket/external_active.
103 External WebSocket RFC communication requires alias user (RFC runtime)
User: Contact system administrator/help desk
Admin: Check rfc/websocket/external_active.
104 System is in maintenance mode and locked against logons
User: Contact the system administrator/help desk or attempt logon again at a later time.
Admin: See SAP Note 12946.
110 Tenant was stopped (runlevel STOPPED)
This can occur only in SAP Business ByDesign systems or Next Generation ABAP Platform (NGAP) systems.
User: Contact system administrator/help desk or attempt logon again at a later time
Admin: See SAP Note 1433885 (case 1).
111 Tenant cannot be used generally (runlevel ADMIN)
This can occur only in SAP Business ByDesign systems or Next Generation ABAP Platform (NGAP) systems.
User: Contact system administrator/help desk or attempt logon again at a later time
Admin: See SAP Note 1433885 (case 2)
112 No authorization to log on to the current logon category
(can only occur in cloud systems)
User: Contact the system administrator/help desk or attempt logon again at a later time.
Admin: Assign the security policy attribute LOGON_CATEGORY to the user with a suitable value.
120 Server does not allow logon
User: Contact system administrator/help desk or attempt logon again at a later time
Admin: Adjust login restriction (see SAP Note 1891583)
121 No special rights for logon available
User: Contact system administrator/help desk or attempt logon again at a later time
Admin: Adjust login restriction or assign special rights (see SAP Note 1891583)
300-399 OpenID Connect (OIDC)
OpenID connect (OIDC) error; see SAP Note 3111813
1001 Password is initial/has expired – interactive change required (RFC/ICF)
User: Contact system administrator/help desk
Admin: Set profile parameter rfc/reject_expired_passwd = 0 or icf/reject_expired_passwd = 0, respectively
(see SAP Notes 161146 and 454962)
1002 Trusted system logon failed (no S_RFCACL authorization)
User: Contact system administrator/help desk
Admin: Assign the missing S_RFCACL authorization to the user in question in the target system (see SAP Note 2264239).
The error codes 3000 – 3009 contain the English text of the last ABAP exception as additional information in the Security Audit Log.
3000 Reauthentication check: SAML bearer assertion is not compatible with logged-on user
User: Contact system administrator/help desk
Admin: Check mapping
3001 Internal SAML bearer assertion verification error
User: Contact system administrator/help desk
Admin: Analysis using SEC_DIAG_TOOL trace
3002 SAML bearer assertion could not be parsed
User: Contact system administrator/help desk
Admin: Analysis using SEC_DIAG_TOOL trace
3003 SAML bearer assertion has already been used (replay)
User: Contact system administrator/help desk
Admin: Check whether the user has cached the assertion. SAML bearer assertions can be used only once.
3004 SAML bearer assertion could be not assigned to a user
User: Contact system administrator/help desk
Admin: Check of mapping
3005 Issuer of SAML bearer assertion is not trusted
User: Contact system administrator/help desk
Admin: Check of configuration in transaction SAML2
3006 NameID format of SAML bearer assertion is not supported
User: Contact system administrator/help desk
Admin: Inform the issuer of the assertion that the used NameID format is not supported. The used NameID format can be seen in the Security Audit Log and in the SEC_DIAG_TOOL trace.
3007 Signature of SAML bearer assertion is not valid
User: Contact system administrator/help desk
Admin: Analysis using SEC_DIAG_TOOL trace. If possible, check whether the assertion can be validated with another product.
3008 SAML bearer assertion is not valid or is no longer valid
User: Contact system administrator/help desk
Admin: Check whether the clocks of the SAML bearer assertion issuer and the system are synchronized or whether the assertion was not used immediately after issue.
3009 SAML is not activated or SAML bearer assertion provider is not activated
User: Contact system administrator/help desk
Admin: Check of configuration in transaction SAML2
