/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PublicSymptom
- When creating a tunnel connection to S/4HANA (ABAP) with basic authentication, the message "We couldn't connect to your S/4 HANA system. For more information, see our troubleshooting page." is shown.
- The HTTP request to /sap/bw/ina/GetServerInfo returns 401 (Unauthorized).
- Relevant ICF services under /sap/bw/ina are activated.
- The Cloud Connector virtual system is reachable.
NOTE: This KBA also applies to all ABAP systems, such as BW and BW/4HANA.
"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."
Environment
SAP Analytics Cloud 2026
Reproducing the Issue
- Log in to SAP Analytics Cloud;
- Try to create a tunnel connection to an S/4 HANA system with basic authentication;
- Attempt to save the connection, and it fails with the error: "We couldn't connect to your S/4 HANA system. For more information, see our troubleshooting page."
- From the HAR file, the call to /sap/bw/ina/GetServerInfo returns HTTP 401 (unauthorized error).
Cause
- The backend is configured to expect certificate-based (X.509) logon instead of Basic Authentication, causing Basic Authentication requests to be rejected (for example, ssl/client_cert set to require client certificates, or logon order prioritizes certificate-based logon).
- Or, Cloud Connector is configured to use certificate-based authentication.
Resolution
Data source changes:
- Adjust the Standard Logon Order in the ABAP system to ensure that Basic Authentication is prioritized as the first authentication method used by the backend: Standard Logon Order | SAP Help Portal
- In addition, verify the ICM SSL configuration to ensure that the system does not require client certificate authentication:
Steps to check:
- Go to transaction SMICM
- Navigate to Goto → Parameters → Display
- Check the parameter: ssl/client_cert
The value should not enforce client certificates:
0 = no client certificate required
1 or 2 = client certificate required (this would force certificate-based authentication)
If ssl/client_cert is set to 1 or 2, the backend will attempt certificate-based authentication even when Basic Authentication is used, which can cause this error.
Cloud Connector changes:
In Cloud Connector, our strong recommendation is to always define a distinct Virtual Host name that is different from the Internal Host name. This approach provides a more secure, robust, and maintainable configuration for the long term:
- Go to the SCC > Edit System Mapping > Change the Internal Host Name (the port 443 can be used in the virtual host, and then 44300 in the internal)
- Change “Host in Request Header” to Internal Host
- Set Principal Type to None - NOTE: don't try to enable the checkbox 'System Certificate for Logon'
- Enable the option “Check Internal Host”. Refer to the screenshot below:
After applying these changes, please go to SAP Analytics Cloud and create a new connection from scratch using the internal host and port.
See Also
- KBA 2569847 - Where can you find SAC user assistance (help) to use, configure, and operate it more effectively?
- KBA 2487011 - What information do I need to provide when opening a case for SAP Analytics Cloud?
- KBA 2511489 - Troubleshooting performance issues in SAP Analytics Cloud
- SAP Analytics Cloud Connection Guide
- SAP Analytics Cloud Get More Help and SAP Support
- Need More Help? Contact Support
Your feedback is important to help us improve our knowledge base.
Keywords
sac, live data connection, tunnel, s/4hana, cloud connector, 401, unauthorized, /sap/bw/ina/getserverinfo, basic authentication, client certificate, x.509, smicm, ssl/client_cert, ina service, logon order, ABAP system , KBA , LOD-ANA-LDC-HAN , SAC Live Data Connection HANA , Problem
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)