cancel
Showing results for 
Search instead for 
Did you mean: 

SAPMHTPP Logon failed (reason=1, type=H, method=P )

msdra
Explorer
0 Kudos

Hello Everyone,

recently, we are encountering a logon failed in all of the systems of ECC and BW. It is associated with the program SAPMHTTP and using only one terminal name with a bunch of users in it as seen on audit logs tx code sm20. Ex: MAINT, GUEST, ADMIN, STORWATCH, MAIL, MGR, ROOT, USER, HELLO, DEVICE, CISCO, PFCUSER, PATROL, VOLITION.

The error stated that "User $$$$$$ locked due to incorrect logon. Several attempts were made to log on to the system as the user without giving the correct password. This probably reflects an attempted attack on the system. Change the user password immediately or even the delete the user and recreate it under another name, if the user in question is important for security."

However, we looked into Linux level and these users are non-existent. Also checked in the SAP level, there are no users with that username. the terminal IP/terminal name is also used for load balancers and checked in the network traffic logs there is nothing notable that a suspicious attacked happened.

Can we trace or know why are these users in the audit logs and is this a user that is being used by SAPMHTTP?

Thank you in advance.

View Entire Topic
msdra
Explorer
0 Kudos

Up -- Still experiencing this issue