Attention! If you are an SAP administrator or user facing the annoying authorization error “No authorization to access via trusted system (L-RC=XXXXXX T-RC=X)”, you are in the right place. In this article, we will provide you with an effective solution to this problem that may be affecting the performance of your applications.
Contents
- 1 What does the Error “No authorization to access via a trusted system (L-RC=1002 T-RC=2)” mean?
- 2 Possible Causes of Error
- 3 Resolving the Error “No authorization to access through a trusted system (L-RC=1002 T-RC=2)”.
- 4 Best practices for maintaining the authorization object S_RFCACL
- 5 Profile SAP_ALL is missing object S_RFCACL
- 6 All possible RFC error codes
- 7 Conclusion
When SAP applications are not working properly, you may encounter the error message “No authorization to access via a trusted system (L-RC=1002 T-RC=2)”. This message usually appears in the browser console or in the HTTP trace. But what does this message really mean and what is the underlying cause of this error?
Possible Causes of Error
The root cause of this problem is usually a lack of authorization. The error message “No authorization to access via a trusted system (L-RC=1002 T-RC=2)” indicates that the user trying to make the RFC call does not have the authorization object S_RFCACL in the back end system. It can also occur when the trust relationship between the systems is not configured correctly.
Fortunately, there is a solution to this problem that will allow you to recover the functionality of your applications. Follow these steps to resolve the error:
- Verify the User on the Back End System: Make sure there is a User ID on your target system that matches the one on the source system. This user must have the authorization object S_RFCACL in the target system.
- Configure the Trust Relationship: It is essential that the front end system calls are trusted by the back end system. To check this, access the SMT1 transaction on the back end system and verify that the front end system ID is registered in the “Systems whose calls are trusted” tab.
First of all, if you are a system administrator, we strongly recommend that you review whether establishing the trust relationship is really necessary. If it is, keep the specific values you need for the scenario in question (System ID, Client, User), and never keep the fields of this object with an ‘*’.
- RFC_SYSID :
- RFC_CLIENT:
- RFC_USER : ‘ ‘
- RFC_EQUSER: Y (for Yes)
- RFC_TCODE : ‘ ‘ (if the transaction flag is disabled in transaction SMT1)
Profile SAP_ALL is missing object S_RFCACL
If the error message still appears even when the user has the SAP_ALL profile assigned, do not worry, this is normal. The authorization object S_RFCACL has been deliberately excluded from the SAP_ALL profile, due to its criticality.
All possible RFC error codes
Occasionally we may see a similar error, with the format (L-RC=X T-RC=X). In this case, we must interpret the error codes and analyze the problem based on the meaning of each code. Below you will find the meaning of each of these codes.
The possible return codes for the “trusted system” (T-RC) are:
| 0 | Successful login through the trusted system. |
| 1 | There is no trusted system entry for the source system “ |
| 2 | The user “ |
| 3 | The timestamp of the login data was invalid… |
The possible return codes for the “login procedure” (L-RC) are:
| 0 | USER_OK | Login was successful |
| 1 | USER_NOT_ALLOWED | Incorrect username or password |
| 2 | USER_LOCKED | User blocked |
| 3 | STOP_SESSION | Too many login attempts |
| 5 | BAD_BUFFER | Error in the authorization buffer |
| 6 | CUA_MASTER_RECORD | No external user verification |
| 7 | BAD_USER_TYPE | Invalid user type |
| 8 | USER_NOT_VALID | User validity passed |
| 9 | SNC_MAPPING_MISMATCH | The user does not correspond to the CNS name |
| 10 | SNC_REQUIRED | Secure connection required |
| 11 | SNC_NAME_NOT_IN_ACL | User not found in USRACL(EXT) |
| 12 | SNC_SYST_NOT_IN_ACL | System not found in USRACL(EXT) |
| 13 | SNC_MAPPING_NO_MATCH | No matching user found |
| 14 | SNC_MAPPING_AMBIGUOUS | Multiple user matches found |
| 20 | TICKET_LOGON_DISABLED | Login process disabled |
| 21 | TICKET_INVALID | Data received, no SSO ticket |
| 22 | TICKET_ISSUER_NOT_VERIFIED | Unverified digital signature |
| 23 | TICKET_ISSUER_NOT_TRUSTED | The ticket issuer is not trustworthy |
| 24 | TICKET_EXPIRED | Expired ticket |
| 25 | TICKET_WRONG_RECIPIENT | Wrong addressee |
| 26 | TICKET_WITH_EMPTY_USERID | The ticket contains an empty user ID |
| 30 | X509_LOGON_DISABLED | Snc/extid_login_diag = 0 |
| 31 | X509_BASE64_INVALID | Certificate not base64-encoded |
| 32 | X509_INVALID_SERVER | X.509 not provided by ITS |
| 33 | X509_HTTPS_REQUIRED | Certificate not transferred via SSL |
| 34 | X509_MAPPING_NO_MATCH | No matching account |
| 35 | X509_MAPPING_AMBIGUOUS | Multiple matching accounts |
| 40 | EXTID_LOGON_DISABLED | snc/extid_login_diag = 0 |
| 41 | EXTID_MAPPING_NO_MATCH | No matching account |
| 42 | EXTID_MAPPING_AMBIGUOUS | Multiple matching accounts |
| 50 | PASSWORD_LOGON_DISABLED | login/disable_password_logon |
| 51 | PASSWORD_IDLE_INIT | login/password_max_idle_init |
| 52 | USER_HAS_NO_PASSWORD | USR02.CODVN = ‘X’ (flag) |
| 53 | PASSWORD_ATTEMPTS_LIMITED | Blockage counter exceeded |
| 54 | PASSWORD_IDLE_PROD | login/password_max_idle_prod |
| 100 | CLIENT_NOT_EXIST | The client does not exist |
| 101 | CLIENT_LOCKED | Blocked client |
| 200 | MULTIPLE_RFC_LOGON | login/disable_multi_rfc_login |
| 1002 | Error logging into the trusted system (no authorization S_RFCACL) |
Conclusion
In summary, the error “No authorization to access via a trusted system (L-RC=1002 T-RC=2)” can be frustrating, but not insurmountable. Making sure that the right user has S_RFCACL authorization on the back end and setting up the trust relationship between the systems correctly are the key steps to solve this problem.
Did you find this article useful? Want to learn more about SAP Security? Do not hesitate to take a look at our SAP Security Online Courses.