SAP Knowledge Base Article - Public

3145739 - AskHR Error "Your User profile is not configured, contact your system administrator."


ASK HR application generated an error when opening AskHR tool and its features: 

  • Your User Profile is not configured, please contact system administrator.
  • Your User profile is not configured, contact your system administrator. 

    java.lang.IllegalArgumentException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."


  • SAP SuccessFactors HXM Suite
    • Employee Central Service Center AskHR

Reproducing the Issue

Error is displayed when opening AskHR itself or one of it functionalities. 

Error screenshot: 


There is some possible causes for this error message, such as: 

  1. Missing RBP permissions.
  2. Information mismatch between SF and C4C.
  3. Username and Password expired in C4C.
  4. OAuth client application invalid configured in SF.
  5. Employee is not an EC user.
  6. For 401 errors, it could be caused due to incorrect key stored in the "Bizx_Odata" destination in BTP.


It's possible that Employee's may be affected for more than just one cause.

  1. Missing AskHR User Mode Permissions: Below is the list of permissions which must be granted to all the employees to successfully access AskHR application:
    • General User Permission > User Login.
    • Employee Data > Employment Details MSS > View Current.
    • Miscellaneous Permissions > Service Center Contact Information > View current.
    • Employee Central Effective Dated Entities > Job Information Actions and Company in "View Current" as below:
    • You can restrict the granted permission for user itself so that same data cannot be viewed for other employees:

  2. Information mismatch between SF and C4C: The following information needs to be exactly the same in SF and C4C: 
    • Person ID (needs to match with employee ID in C4C system)
    • First Name
    • Last Name
  3. Password expired in C4C: Password's in C4C expire each 90 days by default. So, it's important to follow ALL the steps below in order to make sure this is correct:
  • Reset the Username and password.
  1. Reset the password of the technical user on C4C side.
  2. Log in to C4C with the same user and change the initial password. 
  3. Set your own password of the technical user in C4C.
  4. Log in to C4C with the new password.
  5. Add the new Username and password to the CloudForCustomer destination in BTP, as per screenshot below:

BTP -> Connectivity -> Destination ->CloudForCustomer

In C4C: 

  1. Go to the administrator's work center.
  2. General Settings
  3. Support and technical users
  4. Check the security policy session as shown in the attachment (below)

 You can set up the policy here at any time.

       4. OAuth client application invalid configured in SF: Usually this cause applies when all employees are not able to access AskHR. If that's the case, check the OAuth client application configuration in SF, and check if it matches with the AskHR Implementation Guide, or use the Step-by-Step blog as well. 

       5. The affected user is not an EC user: When trying to create a ticket in AskHR, there is one method to get current login user's employment/job/company related information, which is information for EC based user. So far, non-EC user is not supported in AskHR. 

           To confirm if the user is an EC user or not, follow the steps below:

  1. Go to the Data Inspector
  2. Select 'Users Sys ID' as filter
  3. Select Equals in the middle box
  4. Type the username of the affected user in the third box and click "Show Data"
  5. You can check in the "Is EC Record" field: If = 0, the user is not an EC user. If = 1, user is an EC user.

       6. For the C4C 401 error, it could be caused due to incorrect password used for decryption, or key store:

Since configuration is "ClientCertificateAuthentication", based on the exception, we can find that this typically happens when the password used for decryption is incorrect, or the key store is corrupted. 

In order to fix that error, please follow below steps: 

1. Refresh the "Integration Tokens" in BTP sub-account. 
2. After refresh process completed, go back to SuccessFactors and Go to "Manage OAuth2 Client Applications"
3. There will be a new generated item with a new API key: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
4. Copy this new API key, and update this new API key in BTP sub-account destination "Bizx_Odata" fields : "Client Key" and "assertionIssuer"
5. Issue should be fixed.

See Also

Implementation Sequence | SAP Help Portal - Employee Central Service Center (AskHR) Guide

ECSC Implementation Sequence

3129771 - SuccessFactors AskHR: User Mode Permission for Employees - Basic User Permissions for AskHR application


permission, RBP, permissions, RBPs, employees, AskHR, ECSC, Employee Central, Services Center, Employee Central Services Center, Administrator, User, Your User profile is not configured, contact your system administrator, Employee Details, ASK HR, RBP, ECSC, Service Center, SF, C4C, Person ID, AskHR , KBA , LOD-SF-INT-AHR , Ask HR - Employee Central Service Center (ECSC) , LOD-SF-INT , Integrations , Problem


SAP SuccessFactors HCM suite all versions