Number of Failed Password Logon Attempts

One of our company user reported that he accidently enter the windows password instead of the SAP login password and create a SAP support ticket on how he can removed the pop-up failed password warning every time he does a Single Sign-on.
 
Symptom
 
You notice that when logging onto the system , the following message pops-up in the screen:
"Number of failed password logon attempts: 'n' (see long text)"
 
Environment

SAP NetWeaver Release 7.31 onwards
 
Solution:
 
What the user need to do:
 
1) The user need to know his/her correct SAP login password.
 
2) Login SAP once using the correct SAP user name and password.
 
Once the system detect the correct password, the pwd-logon counter will be reset to initial and the pop-up failed logon attempts will no longer appear.
 
---
 
This is self-explantory if you read the SAP information correctly. 
 
Number of failed password logon attempts: 3 (see long text) Message No. 00788
 
Diagnosis
 
One or more failed attempts made to log on to the system with a password and your user name. Failed logon attempts could be caused by you (typo when entering hidden password) or could be an indication of an attempt by a third party to guess your password.
 
System Response
 
Every failed attempt to log on with a password is counted. When a preconfigurable threshold value is exceeded, any further password logon attempts are blocked to keep your password from being guessed.
 
This counter is reset after a successful password logon. This message tells you the value before the deletion.
 
If you log on to the system in another way (with Single Sign-On, not with a password), the value of the counter remains unchanged. The number of failed password logon attempts is displayed again at the next logon.
 
Procedure
 
If you suspect that other people are attempting to guess your password, you should contact your system administrator. The system administrator can then log any logon attempts where additional information (time stamp, network address, and so on) is recorded which could help to determine the cause.
 
If you are also able to log on to the system without a password  (using Single Sign-On), you should consider deactivating the password that is no longer required. Neither you nor other people can log on to the system using your user name and the deactivated password, further password logon attempts are denied. If it is not possible to log on to the system by password, this is no longer displayed to you in a warning message (about any failed password logon attempts).
 
Procedure for System Administration
 
Use the Security Audit Log to log both failed and successful logon attempts.
 
Ratioinal Behind This Failed Password Pop-up
 
The rationale behind a counter for failed password logon attempts is that passwords can be guessed (not only stolen) and thus it is needed to limit the number of permissible failed logon attempts. Unfortunately, the system cannot differentiate between accidental typos of the legitimate user and the attempts of an attacker to guess your password. Hence, the system will make an alert to inform you that there have been failed password logon attempts to your User ID. Then, you should be able to judge whether it was likely you or someone else who has caused this.

It is important to bear in mind that being able to logon also by other means than by password (i.e. via Single Sign-On - SSO) does not eliminate the above mentioned risk. Actually one could even argue that it might increase the risk since you might have forgotten about your (idle) password. For exactly this reason it was configurable to prompt you to change (or disregard) your password when it is about to be changed (after 'n' days, configurable) - even if you do not use your password to login.
 
The reason for not resetting the counter of failed password logon attempts when performing a non-password logon is that this would jeopardize the concept (of limiting the number of permissible failed password logon attempts) - because this would grant an attacker additional attempts to guess your password. So, if you are not using your password, the best advice is: deactivate it - because then also the attacker will have no chance to impersonate with a guessed or cracked password.

SAP BC Tips

See Also
Administrator Problems And Solutions

Get help for your Basis problems
Do you have a SAP Basis Question?

SAP Basis Admin Books
SAP System Administration, Security, Authorization, ALE, Performance Tuning Reference Books

SAP Basis Tips
SAP BC Tips and Basis Components Discussion Forum

Administration In SAP - Sapgui, Unix, SAP ITS, Router, Client Copy and IDES 

Main Index
SAP ERP Modules, Basis, ABAP and Other IMG Stuff

All the site contents are Copyright © www.erpgreat.com and the content authors. All rights reserved.
All product names are trademarks of their respective companies.  The site www.erpgreat.com is in no way affiliated with SAP AG. 
Every effort is made to ensure the content integrity.  Information used on this site is at your own risk. 
 The content on this site may not be reproduced or redistributed without the express written permission of 
www.erpgreat.com or the content authors.