SEC.02 Logon with Different User when Digital Certificates Are Active

Symptom

It is not possible to logon to the system with a different (test) user. Each logon is completed with your own assigned user.

Solution

During the logon process, the ICF logon application switches to HTTPS. Once HTTPS is active, the server and the client exchange digital certificates. If the client or user should have a digital certificate that maps onto a user ID on the server, then the logon is automatically completed with this user ID identified by the digital certificate and the user is not prompted to enter a new user ID (enabling an alternative logon).

If it is required to logon with a different user, the certificate logon needs to be prevented. One approach could be to remove the certificate mapping to the user ID (transaction SM30, view VUSREXTID, deselect Active checkbox) at the server. The alternative is to delete the digital certificate at the client (first make a backup by exporting the certificate).

Once the digital certificate mapping is deactivated, the logon application cannot complete a logon automatically and stops prompting the user for logon data.

This problem is definitely in the domain of the system administrator to solve, to a lesser extend in the domain of the user. The authentication landscape has to be updated. The error is not related to NWBC and can also be reproduced by starting any Web Dynpro ABAP application in the browser.

We highly recommend reading 7.1 NWBC and Authentication and 7.2 Use of Digital Certificates.