SAP Knowledge Base Article - Preview

3670031 - HTTP 401 error from ICM for Principal Propagation authentication

Symptom

Post Principal Propagation setup between SCC and backend system, even though the connectivity is successfully working, HTTP 401 authentication error keeps on raising from dev_icm level 2 trace, similarly to below:


====
[Thr 139631666906880] <<- SapSSLGetPeerInfo(sssl_hdl=7efe7003cf80)==SAP_O_K
[Thr 139631666906880]     out: subject     = "CN=*.company1.corp, O=company1.corp, C=BR"
[Thr 139631666906880] xxx xxx xx xx:xx:xx:xxx 20xx
[Thr 139631666906880]     out: issuer      = "CN=CN=*.company1.corp, O=company1.corp, C=BR"
[Thr 139631666906880]     out: cert_len    = 1482
[Thr 139631666906880]     out: csuite_name = "TLS_XXXXX_RSA_WITH_AES_128_GCM_SHA256"
[Thr 139631666906880] HttpHandleCertificate: Client certificate received: with len=xxxx, subj="CN=*.company1.corp, O=company1.corp, C=BR", issuer="CN=*.company1.corp, O=company1.corp, C=BR", cipher="TLS_E
[Thr 139631666906880] HttpIsReverseProxyTrustworthy: intermediary is trusted
[Thr 139631666906880] HTTP request (raw) [136/931/1]:
[Thr 139631666906880]   GET /sap/opu/odata/......

[Thr 139631666906880] HTTP request [136/931/1] Accept trusted forwarded certificate (received via HTTPS with trusted certificate): subject="CN=PP-username@sap.company.corp", issuer="CN=server123.sap.company.corp, C=BR"

[Thr 139631666906880] HTTP response (raw) [136/931/1]:
[Thr 139631666906880]   HTTP/1.1 401 Unauthorized
[Thr 139631666906880]   set-cookie: sap-ssolist=xxxxxxxxxxxxxxxxxxxxx; path=/; SameSite=None; secure
[Thr 139631666906880]   set-cookie: sap-usercontext=sap-client=XXX; path=/; SameSite=None; secure
[Thr 139631666906880]   content-type: text/html; charset=utf-8
[Thr 139631666906880]   content-length: 6349
[Thr 139631666906880]   sap-system: XXX
[Thr 139631666906880]   www-authenticate: Basic realm="SAP NetWeaver Application Server [xxx/xxx]"
[Thr 139631666906880]   sap-server: true
[Thr 139631666906880]   sap-icm-log-dtrace: v=0,i=,r=xxxxxxxxxxxxxxxxxx,c=xxxxxxxxxxxxxxxxxxxxx,s=1
[Thr 139631666906880]   sap-perf-fesrec: 6275.000000
====

Note: Image/data in this KBA is from SAP internal systems, sample data, or demo systems, and any resemblance to real data is purely coincidental.


Read more...

Environment

  • SAP Cloud Connector(SCC) release independent;
  • SAP AS ABAP backend system;

Product

CONNECTOR FRAMEWORK all versions

Keywords

SAP cloud connector, CC, connector, cloud connector, SCC, principal propagation, PP, principal, propagation, email, e-mail, username, SAML, certificate, ISSUER, SUBJECT, HttpIsReverseProxyTrustworthy, HTTP 401, 401, Unauthorized, authentication, HttpHandleCertificate, SSL, SapSSLGetPeerInfo, HTTPS, CERTRULE, password, username,  , KBA , BC-MID-SCC , SAP Cloud Connector On-Demand/On-Premise Connectivity , BC-CST-IC , Internet Communication Manager , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.