Show TOC

Logon and Password Security for SAP GUILocate this document in the navigation structure

Use

This section contains information about configuring logon and password security in the AS ABAP.

Integration

As of SAP NetWeaver 04, you have the option to use stronger hashing algorithms for storing and transferring the authentication credentials for SAP GUI users. If your security requirements mean that you need to use exclusively the non-backward compatible passwords of the new type, this affects the following components:

  • Communication frameworks (RFC, ICF) that transfer or store the passwords

  • Central User Administration, which distributes the password hash values

If you are using non-backward compatible passwords, communication with older systems (where the older system calls the newer system) and the shared use of a Central User Administration that consists of old and new systems is no longer possible in principle. For more information, see SAP Note 792850 Information published on SAP site.

Features

To increase the authentication security in AS ABAP passwords are only stored and transferred as hash values. After SAP NetWeaver 6.40, the password hash algorithm is changed from MD5 to SHA-1. This means that more secure hash values, which are not backward-compatible, and which make reverse engineering attacks difficult, can be generated.

The new functions do not initially have any consequences after an upgrade; the operation of the system and password queries continue to run as usual. The passwords of the new type gradually replace the passwords of the old type.

Initial Password

When you create a user master record, you must assign a password to the user. When a new user logs on for the first time, he or she must change the password. To do this, the user enters the old password once and then the new password twice. When the user enters the new password, the system checks it against all password rules defined by SAP and by the administrator.

The password must meet the internal requirements set by the SAP system and your own regulations. For more information about configuring passwords, see Password Rules.

The following rules do not apply to administrator users:

  • List of invalid passwords or password templates in table USR040

  • Password history; that is, the password can also be one of the last five passwords used by the user

  • Minimum number of different characters between the old and the new password

Password Checks

  • Password Checks for Password-Based Logon

    For every failed password check, the failed logon counter for the affected user master record is increased. If the user changes his or her password, the system first checks the current password. If this check fails, the system increases the incorrect logon counter.

    If the user exceeds the limit set by the profile parameter login/fails_to_user_lock, the user is locked. This operation is logged in the Security Audit Log and in the Syslog. If a lock is set, subsequent password checks are immediately terminated (without a statement about the correctness of the password).

    The lock is regarded as invalid after the end of the current day. (Exception: see the profile parameter login/failed_user_auto_unlock.)

    The failed logon counter is reset by a successful password check at logon or password change; this is also logged in the Security Audit Log. Non-password-based logons do not affect the failed logon counter; active logon locks, that is, locks that the administrator has set in transaction SU01, are taken into account at each logon or password change.

  • Password Checks for Non-Password-Based Logon

    When you are using an SAP GUI logon, in the case of non-password-based logon variants (SSO: SNC, X.509, PAS, logon ticket), the system checks whether the user has a password that must be changed.

    In addition, administrator users can use the profile parameter login/password_change_for_SSO and its parameters to display various dialog boxes. For more information about this, see the documentation for the profile parameter in transaction RZ11.

Logon Errors

If a user enters an incorrect password, then the system allows the user two retries before terminating the logon attempt. Should the user continue to enter an incorrect password in subsequent logon attempts, then the SAP GUI connection is terminated. By default, this is done after three consecutive failed logon attempts. You can use the parameter login/fails_to_user_session_end to specify the number of logon attempts that the system should allow before terminating the connection. For more information, see Profile Parameters for Logon and Password (Login Parameters).

The user can repeat the logon attempt until he or she enters a valid user ID or until the permissible number of logon attempts is exhausted (parameter login/fails_to_user_lock). After SAP NetWeaver 04, the system differentiates between upper- and lower-case.

The locking of a user due to incorrect logon attempts with a password only applies on the same day (see the parameter login/fails_user_auto_unlock); however, the user administrator can also remove the lock earlier.