|One of our company user reported that he accidently enter
the windows password instead of the SAP login password and create a SAP
support ticket on how he can removed the pop-up failed password warning
every time he does a Single Sign-on.
You notice that when logging onto the system , the following
message pops-up in the screen:
"Number of failed password logon attempts: 'n' (see long
SAP NetWeaver Release 7.31 onwards
What the user need to do:
1) The user need to know his/her correct SAP login password.
2) Login SAP once using the correct SAP user name and
Once the system detect the correct password, the pwd-logon
counter will be reset to initial and the pop-up failed logon attempts will
no longer appear.
This is self-explantory if you
read the SAP information correctly.
Number of failed password logon attempts: 3 (see long
text) Message No. 00788
One or more failed attempts made to log on to the system
with a password and your user name. Failed logon attempts could be caused
by you (typo when entering hidden password) or could be an indication of
an attempt by a third party to guess your password.
Every failed attempt to log on with a password is counted.
When a preconfigurable threshold value is exceeded, any further password
logon attempts are blocked to keep your password from being guessed.
This counter is reset after a successful password logon.
This message tells you the value before the deletion.
If you log on to the system in another way (with Single
Sign-On, not with a password), the value of the counter remains unchanged.
The number of failed password logon attempts is displayed again at the
If you suspect that other people are attempting to guess
your password, you should contact your system administrator. The system
administrator can then log any logon attempts where additional information
(time stamp, network address, and so on) is recorded which could help to
determine the cause.
If you are also able to log on to the system without
a password (using Single Sign-On), you should consider deactivating
the password that is no longer required. Neither you nor other people can
log on to the system using your user name and the deactivated password,
further password logon attempts are denied. If it is not possible to log
on to the system by password, this is no longer displayed to you in a warning
message (about any failed password logon attempts).
Procedure for System Administration
Use the Security Audit Log to log both failed and successful
Ratioinal Behind This Failed
The rationale behind a counter for failed password logon
attempts is that passwords can be guessed (not only stolen) and thus it
is needed to limit the number of permissible failed logon attempts. Unfortunately,
the system cannot differentiate between accidental typos of the legitimate
user and the attempts of an attacker to guess your password. Hence, the
system will make an alert to inform you that there have been failed password
logon attempts to your User ID. Then, you should be able to judge whether
it was likely you or someone else who has caused this.
It is important to bear in mind that being able to logon
also by other means than by password (i.e. via Single Sign-On - SSO) does
not eliminate the above mentioned risk. Actually one could even argue that
it might increase the risk since you might have forgotten about your (idle)
password. For exactly this reason it was configurable to prompt you to
change (or disregard) your password when it is about to be changed (after
'n' days, configurable) - even if you do not use your password to login.
The reason for not resetting the counter of failed password
logon attempts when performing a non-password logon is that this would
jeopardize the concept (of limiting the number of permissible failed password
logon attempts) - because this would grant an attacker additional attempts
to guess your password. So, if you are not using your password, the best
advice is: deactivate it - because then also the attacker will have no
chance to impersonate with a guessed or cracked password.
SAP BC Tips