Tracing incoming RFC or why SAP user is getting locked?

There are many discussion threads on SCN dealing with issue of SAP user which gets locked frequently and reason of this it not know. I recently faced same issue. My SAP user I’m regularly using in one of my SAP system was locked. As I’m using my cloud provider to host the SAP system for me and every time I needed to write an email to provider to unlock the user. After few times of bothering them I obtained new user which I was using to unlock my regular user. I started to use that new user instead of my regular one however from time to time I needed to use the regular user and it was still locked. I decided to invest some time to hunt a mystery of why my regular user was getting locked.

As mentioned I started with having a look at SCN and elsewhere to get an overview what I should do to get the mystery solved. I came a across posts like:

·         this – suggesting to use tcode STAD

·         this – suggesting to use ST03N tcode

·         this – suggesting to use tcode SM19/SM20 – Audit logs

·         this suggesting to use tcode ST01

·         this suggesting to use CCMS

·         this / this suggesting to use report ZRFC_STATRECS_SUMMARY (or tcode STRFCTRACE in newer versions of NetWeaver see Note 931251)

·         and many others.

I went through all of them however I was not able to figure out what was an issue.

One thing was obvious from reviewing all the posts was that it happens because of some RFC call. I checked with rest of developers who shares the same SAP system with me but none of them was using my regular SAP user to run their automated tests. Only thing which was for sure was that in tcode SM21 I was getting entries like following:

7.11.2015

00:51:32 DIA  008 800 MYUSER US  1 User MYUSER locked due to incorrect logon

02:16:58 DIA  001 800 MYUSER US  1 User MYUSER locked due to incorrect logon

17:06:42 DIA  000 800 MYUSER US  1 User MYUSER locked due to incorrect logon

I tried to setup few system profile parameters to increase level of logging. After every such an attempt I unlocked my regular SAP user and I waited to get user locked and I reviewed logs but not a chance to reveal the mystery.

Finally I ran to SCN post which suggested to setup following profile parameter:

rfc/signon_error_log to value 2

The parameter causes that when the RFC logon fails the SAP system create an ABAP dump with all the call’s detail. The ABAP dump is called “CALL_FUNCTION_SIGNON_REJECTED” and it basically provides all information that helps to identify the FCR call causing the issue:

Category               Installation Errors

Runtime Errors         CALL_FUNCTION_SIGNON_REJECTED

Date and Time          08.11.2015 18:11:32

 Short text

     You are not authorized to logon to the target system (error code 53).

Meaning:

53   PASSWORD_ATTEMPTS_LIMITED  Lock counter exceeded

Server-Side Connection Information

Client.............. 000

User................ "SAPSYS"

Transaction......... " "

Call Program........."CL_BGRFC_SUPERVISOR_START=====CP"

Function Module..... "BGRFC_CHECK_SCHEDULERS"

Call Destination.... "xxxx_RFC"

Source Server....... "abcserver_SID_sysno"

Source IP Address... "1.1.1.1"

Based on “Call Program” I was able to identify the thing which was causing the issue. Once I entered proper password to RFC destination actually used for bgRFC in tcode “SBGRFCCONF - bgRFC Configuration” issue disappeared and the mystery was solved!