List of Error codes during SAP logon

Posted by — December 7, 2022 in SAP BASIS Leave a reply

The following list is taken from SAP Note 320991 – Error codes during logon (list). You might want to refer to https://itsiti.com/how-to-handle-the-error-codes-during-sap-logon/ for the resolution steps.

Explanation of the Error Codes/Return Codes

Return Code Error Message
0No error – successful logon
1Incorrect logon data (client / user name / password)
2User account is locked
3Incorrect logon data; for SAPGUI: connection closed
4(Successful) Logon using emergency user SAP* (see SAP Note 2383)
5Error when constructing the user buffer (==> possible follow-on error)
6User exists only in the central user administration (CUA)
7Invalid user type
8User account outside validity period
9SNC name and specified user/client do not match
10Logon requires SNC (Secure Network Communication)
11No ABAP user with this SNC name exists in the system
12ACL entry for SNC-secured server-server link is missing
13No suitable SAP account found for the SNC name
14Ambiguous assignment of SNC names to ABAP users
15Unencrypted SAP GUI connection refused
16Unencrypted RFC connection refused
20Logon using logon/assertion ticket is generally deactivated
21Syntax error in received logon/assertion ticket or reentrance ticket not valid
22Digital signature check for logon/assertion ticket fails
23Logon ticket/assertion issuer is not in the ACL table
24Logon/assertion ticket is no longer valid
25Assertion ticket receiver is not the addressed recipient
26Logon/assertion ticket contains no/an empty ABAP user ID
27Reauthorization check: ticket does not match current user
28Ticket logon denied by security policy
30Logon using X.509 certificate is generally deactivated
31Syntax error in the received X.509 certificate
32X.509 certificate does not originate from the Internet Transaction Server
34No suitable ABAP user found for the X.509 certificate
35Ambiguous assignment of X.509 certificate to ABAP users
3636 Certificate is older than the date entered as "min. date" (USREXTID)
41No suitable ABAP user found for the external ID
42Ambiguous assignment of external ID to ABAP users
50Password logon was generally deactivated or denied by security policy
51Initial password has not been used for too long
52User does not have a password
53Password lock active (too many failed logons)
54Productive password has not been used for too long
60SPNego logon denied by security policy
61Invalid SPNego token (syntax)
62NTLM token received instead of SPNego token
63Missing/incorrect Kerberos keytab entry
64Invalid SPNego token (time)
65SPNego replay attack detected
66SPNego: Error when creating the SNC name
67SPNego: No suitable SAP account found for the SNC name
68SPNego: Ambiguous assignment of SNC names to ABAP users
69Reauthentication check: SPNego token does not match current user
100Client does not exist
101Client is currently locked for logons
102External WebSocket RFC communication is not allowed (RFC runtime)
103External WebSocket RFC communication requires alias user (RFC runtime)
104System is in maintenance mode and locked against logons
110Tenant was stopped (runlevel STOPPED)
111Tenant cannot be used generally (runlevel ADMIN)
112No authorization to log on to the current logon category
120Server does not allow logon
121No special rights for logon on this server
300-399OpenID connect (OIDC) error; see SAP Note 3111813
1001Password is initial/has expired – interactive change required (RFC/ICF)
1002Trusted system logon failed (no S_RFCACL authorization)
3000Reauthorization check: SAML bearer assertion is not compatible with current user
3001Internal SAML bearer assertion verification error
3002SAML bearer assertion could not be parsed
3003SAML bearer assertion was already used (replay)
3004SAML bearer assertion could not be assigned to a user
3005Issuer of SAML bearer assertion is not trusted
3006NameID format of SAML bearer assertion is not supported
3007Signature of SAML bearer assertion is not valid
3008SAML bearer assertion is not valid or is no longer valid
3009SAML is not activated or SAML bearer assertion provider is not activated

Explanations for “access” (access types):

Return Code Error Message
ADialog logon (SAP GUI)
BBackground processing (batch)
CCPIC
FRFC (as of 4.6C: internal RFC)
RRFC (as of 4.6C: external RFC)
IRFC system call (internal SRFC)
SRFC system call ( [external]* SRFC) – *see SAP Note 2590963
UUser switch (internal call)
HHTTP
uRestore session (ABAP class CL_USERINFO_DATA_BINDING)
" "API call (such as SUSR_CHECK_LOGON_DATA)
MSMTP authentication (MTA): Password check
PABAP push channel (APC)/WebSockets
EEstablishment of a shared memory area (internal call)
OAutoABAP (internal call)
TServer startup procedure (internal call)
VSAP start service (internal call)
JJava Virtual Machine (internal call)
WBGRFC watchdog (internal call)
GABAP Resource Manager (internal call)
rRFC via WebSockets (external)

Explanations for “auth” (authentication types):

Return Code Error Message
PPassword-based authentication
TLogon ticket
tAssertion ticket
XCertificate-based logon (X.509 / https)
SSNC (Secure Network Communication)
RInternal RFC or trusted system RFC
AInternal call via background processing for example
EExternal authentication (PAS / SAML / …)
UInverse user switch (ABAP class CL_USER_POC)
sHTTP security session
2SAML2
1SAML1
oOAuth2
NSPNego
aAPC session (WebSockets)
BSAML bearer
rReentrance ticket
DOIDC logon
dOIDC bearer

You May Also Like

How to Collect SAP Server Snapshot for Kernel Snapshot Analyzer

How to Find Which SM59 RFC Destination Is Using a Specific User Name

How to Switch SM37 View – Grid or List Display

SAP Programs for Background Processing

Leave a Reply?