Meanwhile I found the Problem: the first specific entry in the reginfo contained only the hostname and the IP of the physical host but not the alias which is usually used. Therefore the first specific rule did not match the request and then finally the last entry was checked and since in this rule ACCESS is only allowed for local, internal the request was rejected.
However many Thanks for your Support and have a nice Weekend!
Michael
Sorry, but that is wrong. Or at least an urban legend type of myth.
COMMUNICATION type users are obsolete and should not be used anymore. Also a SECPOL will not help to protect you against the users changing it's own password or issuing a logon ticket to the wrong client.
Only SYSTEM type users should be used.
Cheers,
Julius
Hi Amit,
Any t-code that is added to menu will fetch the relevant objects from USOBX_C and USOBT_C tables. You can see those details from SU24. Please see below screen shot.
Please ensure that the check indicator and proposal values are maintained "yes" so that it will auto fetch to Authorization of role.
If not you can add those objects manually (Not always recommended).
Please take trace to find actual missing objects. Hope this helps.
Hello Julius,
thanks for the recommendation for gw/reg_no_conn_info. Since I already read all the notes but could not make up my mind which value to set 
and finally was completely confused I will set the value to 127.
Cheers
Michael
Dear SAP Community,
We’re setting up MIT Kerberos for a SAP ABAP Server, so we can use the password less logon authentication. At the moment I’m hanging with the compilation of the SNC adapter.
BW ABAP 7.4 SPS10
SAP Kernel 742 / PL120
MaxDB 7.9
RHEL 6
Microsoft AD
Chapter: 3.5.1
[root@wieltcg01 sncadapt]# pwd
/Software/SNC/sncadapt
[root@wieltcg01 sncadapt]# make
./build."`uname -s`" make do-all
./build.Linux: line 27: export: `do-all': not a valid identifier
make: *** [all] Error 1
I don’t know what should be adapted and where the error could be.
I’d be very grateful for some help and advice!!
BR Manuel
Hello Lutz,
I didn't get an opportunity to look at your response immediately but, when I did, it helped a great deal! For some reason, it never clicked for me that snc/identity/as is the name that the system presented itself as until I read through and tried to understand your example.
I've deleted all of my incorrectly defined entries in SNC0 and added entries based on each system's setting for snc/identity/as. I then went to SM59 in our sandbox and changed the SNC partner name to the value of snc/identity/as for the system that the RFC was talking to and the connection and authorization tests started working! 
Now I have the tedious task of changing all of the RFCs to add the appropriate value for SNC partner and activate SNC, but that would have been true no matter how long it took to get this resolved.
The other thing I need to figure out is how to enable SNC for communication with non-SAP systems, though, I'll admit that I haven't really tried to find that on my own, yet. (Would you happen to have any recommendations for that? I could create a new message so you can get extra points if you want. 
)
Thanks!
Jeff
Hello Hebbert,
Thank you for feedback
Then I think that I don't have alternative to restrict this by authorization object, so I will prepare new variant transaction ZSU01
Best Regards
Anwar G
Hello Bernhard,
Two questions:
Thank you for your help.
Best regards,
Zobair
HI Christoph Bastian
Your problem solved? Is your problem, GUI is not operating for a long time will disconnect with the server?
Hi Jeff, thanks for your feedback and your points. I have no experience with non SAP yet. But it is always quite similar in principle. You will need to give each communication partner a name (identity), create an SNC PSE with a key pair and export/import public keys. But you will have no STRUST and will need to do this using sapgenpse command line. Including the pse environment into the non sap solution will be very specific to each vendors' concepts.
But there are other people who are experienced. You should also check discussions here SAP NetWeaver Application Server and there SAP Single Sign-On.
I would very much recommend to open a new thread when it comes to discussing details.
Regards,
Lutz
su01 - netweaver 7.4 indirect role assignments from composite are not blue
Hi Folks,
I notice in higher releases (greater than basis netweaver 7.1) that inidirect role assignments in SU01 are not blue color ?
The composite role seems to handle fine and new columns and icons are present denoting directs and indirectcs
This is standard now ?
Hi
Read once again notes:
352295 - Microsoft Windows Single Sign-On options
150380 - Is Kerberos 5 supported for use with SNC?
In general, the software is discontinue and you try to compile code from 1999.
Regards
Przemek
Hi experts,
currently we have a reginfo in place without specific rule for the program "LDAP_EUCE". Now I would expect that the Default rule in the last position of the file will be applied (P TP=* HOST=local,internal CANCEL=local,internal ACCESS=local,internal) and therefore denies any access from a host which does not belong to the system. From the Gateway log we would have expected a denied message if a remote host from another SAP System tries to use this registered program via the local gateway.
Now we receive the message "reginfo denied Client: P=LDAP_EUCE ACCESS=localhost (127.0.0.1)" but unfortunately only with "localhost" and not any hint about the remote host which tried to use the local gateway. Has anybody an idea how we can find out which host tried to execute LDAP_EUCE?
Many thanks!
Michael
Hello,
someone told me, without quoting a source, that the cap of 300 roles per user was removed in a certain SAP release.
Maybe I am blind, but I was not able to find this in any release change log.
Can someone confirm this and link me a source?
Cheers,
Peter
Hello,
Just stepped into this post and note 24578 - SAP Query: Authorizations
confirms that S_TABU_LIN cannot be used for queries:
"...When a query is executed on an InfoSet with direct read accesses on a table or a table join, the system checks whether the executing user has read authorization for the corresponding tables (display authorization for object S_TABU_DIS/S_TABU_NAM). The line-based generic table authorization check (object S_TABU_LIN) cannot be used for queries...."
We´re currently using query variants in the program, so the custom tcode that calls the query already set a variant for the query where the organizational field attributes are greyed out. problem is that we might need to create a new tcode for every organization. Have you faced a similar problem before? any thoughts?
Thanks
Diego
If you look closer, you will see that was from April Fools day.. :-)
Cheers,
Julius
There is a release not for the number of profiles in AS ABAP, here on SAP Help Portal.
Message was edited by: Michael Shea Trying to add the URL.... http://help.sap.com/saphelp_nw75/helpdata/en/ae/b8f56c16414048af0b29674bcb1f8c/frameset.htm
It'll be interesting to see how many customers run into this issue
"This change does not require a data migration. If you have custom coding that relies on these tables, adjust your code"
Now there is one less system constraint to use as justification to clean up bad role build 
Thank you all for your input.
I am not sure, I like this change though 
Cheers,
Peter