SAP Note

    117395 - Authorization problems for file I/O on Microsoft Windows  

Version   8     Validity: 18.08.2014 - active   Language   English

Header Data
Released On 18.08.2014 12:33:27
Release Status Released for Customer
Component BC-OP-NT Windows
Priority Recommendations / Additional Info
Category Help for error analysis

Symptom
Authorization problems occur for file I/O on network drives from the SAP system.

Typically, this kind of problem occurs following the successful setup of a central transport
directory. The SAP systems participating in the network are not members of the same Windows domain.
The participants in the transport network, to whom the modified transport directory is made known by
means of the DIR_TRANS parameter in the instance profile, are not able to access this directory
using transaction AL11. The system issues the following error message:

Wrong order of calls <- CALL opendir( ..)

Message no. S1204

For other aspects of this problem regarding the call of the TP or of an external program, see SAP
Note 48486. The causes of the SYSLOG messages (for example, TR010) and operating system error
messages (for example, OS error 1326) described in SAP Note 48486 can also be found in the problem
description depicted here.

However, in general, this problem can occur for any file access from the SAP system (for example,
for OPEN_DATASET on a network drive).

With other desktop tools such as File Manager and Explorer, there are no problems accessing this
network drive.

Other Terms
I/O, authorization, workgroup, domain, AL11, S1204

Reason and Prerequisites

Following an SAP system standard installation on Microsoft Windows, there are two different
operating system users on an SAP system server:

l The <SID>adm user used for the interactive logon

l The SAPService<SID> user used to start the SAP services

If the start of an SAP system instance is initiated by the user <SID>adm (for example, using the
"Start" button in SAP Service Manager), the SAP service "SAP<SID>_<instance_no>" receives a signal
to start the SAP system kernel. Because, like all other SAP services, the SAP service
"SAP<SID>_<instance_no>" is started with the user SAPService<SID>, the SAP system kernel runs in the
security context of this user, too.
In other words: Even if the interactive user <SID>adm apparently initiates the start of the SAP
system, the SAP system kernel accesses all resources with the authorizations of the user
SAPService<SID>.
In the case described above, the user on which the SAP system kernel is running is not authorized to
access the remote drive.

Solution
To solve the problem, we first need to distinguish between scenarios for the Windows domain
membership of the SAP system servers:

1. All involved SAP system instances are a member of just one Windows domain.

In this case, the problem should not occur as long as the users mentioned above have been
implemented as domain users (recommended by SAP). If the SAP users have been created as local
users only, this limits their scope of validity to this local server only. You must proceed in
accordance with point 2).

            ______________________
          /                      \    Domain A
          |        o.k.          |
H O S T A   ---------------> H O S T B (shared resource)
          | domain user : ABCadm   |
           \______________________/

The domain user account is valid in the whole domain.

2. All involved SAP system instances are a member of a Microsoft Windows workgroup or standalone
server.

In this case, the various operating system users are valid locally on the servers only; this
means that the conditions for the error described above are met. One possible way to avoid this
situation is to incorporate the servers into a domain and switch the local users for domain
users. However, because this can be associated with a lot of work (the startup users for each SAP
service must be changed), you must weigh up whether the following method might make more sense.
You can work around the disadvantage of local validity by creating the users that require access
to the remote resource with the same name and password on the target host (for example, on the
server with the central transport directory).

Workgroup or standalone server:

                     No Access
H O S T A  ------/-----> H O S T B (shared resource
        user: A*
         pwd : ABC
                      Access
H O S T A  ------------> H O S T B (shared resource)
        user: A                user: A
        pwd : ABC              pwd : ABC
* The SAP system uses the users <SID>adm and SAPService<SID>

3. The involved SAP system instances are members of multiple Windows domains.

If there is a trust relationship between the domains, the users of one domain can access the
resources of other domains. By default, a trust relationship is unidirectional, which means that
only users of one of the domains can access the resources of the other domain in the
relationship. However, you can set up a mutual trust relationship to enable access in both
directions.
Without a trust relationship, the conditions for the problem mentioned above are still met, since
the domain users are only valid locally in their own domain. However, the problem can again be
worked around by creating a second user with the same name and password without setting up a
generally applicable trust relationship.
Domain A                                  Domain B
_____                                _______
      \          No Trust          /
        |        Relationship      |
H O S T A ----------------> H O S T B (shared resource)
        |        No Access !       |
_____ /                            \ _______

Domain A                                  Domain B
   ____                                _______
        \          No Trust          /
        |       Relationship       |
H O S T A ----------------> H O S T B (shared resource)
        |          Access !        |
______ /                            \ _______
user: A*                            user: A
pwd : ABC                          pwd : ABC
* The SAP system uses the users <SID>adm and SAPService<SID>

Decide which method is most suitable for your situation.

Other Attributes

Transaction codes AL11

FILE
HIER
Operating system WINDOWS

Validity
This document is not restricted to a software component or software component version

References
This document refers to:
SAP Notes
556734   FAQ Transport: Setup and further information
99155   DATASET_WRITE_ERROR/DATASET_CANT_OPEN on Windows

This document is referenced by:

SAP Notes (3)
99155   DATASET_WRITE_ERROR/DATASET_CANT_OPEN on Windows
1172252   CTS+, 'attach file': Troubleshooting Guide
556734   FAQ Transport: Setup and further information