During logon, SAP NetWeaver Application Server ABAP checks user passwords for correctness. Even if you do not use password authentication, the system still checks for password expiration.
If a user enters incorrect or invalid data when logging on with a password, the system increases the incorrect logon counter for that user in his or her user master record. When the user changes his or her password, the system also checks the current password, and increases the incorrect logon counter if appropriate. You can define the upper limit for incorrect logon attempts in profile parameter login/fails_to_user_lock. If a user exceeds this upper limit, the system locks him or her and records this event in the security audit log and in the system log.
If a user is locked, the system immediately terminates subsequent password checks without providing information about whether or not the password is correct. You can use the profile parameter login/failed_user_auto_unlockto determine when the system lifts the lock. By default, this is the case at midnight. As soon as the user logs on correctly, the system resets the incorrect logon counter and logs this in the security audit log. The incorrect logon counter only applies for password logon. However, the system also takes active logon locks, that is, those set by the administrator, into account for logons using single sign-on (SSO).
The system also displays the number of failed logon attempts logon underfor logon with SAP GUI. For logon with HTTP, you can configure a popup.
If you use SAP GUI logon without a password, the system checks whether the user needs to change his or her password when SSO logon variants are used (such as Secure Network Communication, X.509 certificates, Pluggable Authentication Service, logon tickets). You can use profile parameter login/password_change_for_SSO to determine which of the different possible dialog boxes are displayed in this case.