Skip to Content
Author's profile photo Matt Pollicove

Diagnosing “Access Denied. Service is Down” Messages from NetWeaver

At some point in the implantation process we’ve seen the message “Access Denied. Service is Down” When implementing, updating or even running SAP NW IDM.  This document will go into a few tips for troubleshooting this message. Hopefully adding a few funny quotes will also help set the mood.

In my experience with these issues I’ve found it’s good to check the following categories:

1. Network Infrastructure.

“I know engineers, they LOVE to change things.” – Dr. Leonard McCoy, Star Trek: The Motion Picture

First things first, check the firewall settings and make sure all of the relevant ports are open. I can’t tell you how many times I’ve had a project stymied because a network engineer did not recognize one of the IDM project’s ports and shut them down. Some initial ones to check:

Port TCP UDP Service
50×00 X Your SAP instance
1521/7 X Oracle Database


X X Oracle database listening for insecure client connections to the listener, replaces port 1521
2484 X X Oracle database listening for SSL client connections to the listener
1433 X Microsoft SQL Server Database (Server) aka Browser service, if running multiple instances, ports can also be assigned dynamically, so check with the DBA!
1434 X X Microsoft SQL Server Database (Monitoring)
389 X X Microsoft Active Directory /Enterprise LDAP Directory

Also double check DNS.  If you’ve set up a dedicated instance of NetWeaver for IDM to use, it’s possible that the system was not entered into local DNS and/or the firewall as well. These are fairly simple, yet surprisingly common things.

2. NetWeaver

“Aye sir, the more they overtech the plumbing, the easier it is to stop up the drain.” — Scotty, Star Trek III: The Search For Spock

Remember, the BASIS team are your friends.  Keep them in the loop and talk to them during your implementation / upgrade / ongoing operations. If new SCAs need to be deployed for WebDynpro or new EARs for REST or GRC, make sure they know about it and don’t be afraid to keep after them.  This might be the easiest “false positive;” you’re sure that you’ve told the BASIS team what needed to be done and what the deadlines were, but it’s YOUR project, so YOU follow up!

Also double check that NetWeaver and its database are up. This is critical when implementing or updating. More so if NetWeaver is undergoing maintenance.  Make sure you’re aware of the maintenance windows before screaming that the system is down.

3. JCBC Configuration in NetWeaver Administrator

Spock: We are traveling at warp speed. How did you manage to beam

  aboard this ship?

Kirk: You’re the genius. You figure it out.

-Star Trek (2009)

Finally, check with the BASIS team and make sure that the IDM installation was done correctly per this SAP Document. (Login Required)

There are three things to look at here:

1. Always make sure that the data source name is correct.  It should be: IDM_DataSource

2. Make sure you are using the correct database drivers. I’ve written an article about it here. and that you are using the correct database JARs.

3. Finally, When you look at the configuration in NetWeaver Administrator, you’ll notice a spot for database login credentials.  Note that these need to be for the PROV user (e.g., mxmc_prov) and the password is correct. I have seen issues, particularly on Oracle databases, where the password has been changed and the change in password is not updated in NetWeaver Administrator.  This turns into a classic example of “It was working yesterday and now it’s not working today”

When All else fails:

Spock: Consider the alternatives, Mr. Scott.

Scott: We have no fuel! What alternatives?

Spock: Mr. Scott, there are always alternatives.

-“Star Trek: The Galileo Seven

Kind of related to the previous section, but I wanted to be able to put in one more quote, and besides, it’s slightly different.

Make sure all services are running, the most important is the JMX service in NetWeaver (tc~idm~jmx~app) I have seen in the past when the NetWeaver server is rebooted that this one service does not start automatically.  Once it gets a manual “jump start” there are no further problems.

I’d even extend this a little bit further to double check database, security, and other services that might be relevant to how NetWeaver and IDM work in your environment.

I’m leaving this as an open document so that if anyone has further notes, observations or strategies they can add them.  If there are other things that need to be explored, please leave a comment.

And of course all quotes are (c) to their respective owners.

Useful port information –

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Billy Warring
      Billy Warring

      Heads up on the MS SQL port:

      143 TCP Internet Message Access Protocol (IMAP)—management of email messages

      The following is for MS SQL:

      1433 TCP MSSQL (Microsoft SQL Server database management system) Server Official
      1434 TCP UDP MSSQL (Microsoft SQL Server database management system) Monitor Official

      But this also does not account for M$ having set dynamic instance ports, so if you have firewalls to work with you will need the DBA to set a static port.

      I would also recommend TCP and UDP columns as that can also make or break things, while troubleshooting!  😀

      Author's profile photo Matt Pollicove
      Matt Pollicove
      Blog Post Author

      Whoops, that's a typo!  Thanks Billy, I will fix that right away and add in 1434.

      I don't even want to get into Dynamic ports since I'm not a DBA, but I suppose it should be mentioned. 🙂

      Author's profile photo Matt Pollicove
      Matt Pollicove
      Blog Post Author

      Billy, can you either edit or let me know what is TCP and UDP?



      Author's profile photo Billy Warring
      Billy Warring

      Not a problem, how does it look now; I also added some edits on the dynamic port for MS SQL and new ports for Oracle.

      Author's profile photo Matt Pollicove
      Matt Pollicove
      Blog Post Author

      Thank you, Billy!

      Author's profile photo Steffi Warnecke
      Steffi Warnecke

      Quotes from Star Trek... how could I resist?! *sigh*

      Thank you for this troubleshooting checklist, Matt! I have found, that #3 and #3 3/4 are most of the time the problems in our case.

      Especially because of reboots we tend to see the message pretty often, for the service doesn't start up automatically with our system and I have to push it every time. :/  Lazy thing!



      Author's profile photo Matt Pollicove
      Matt Pollicove
      Blog Post Author

      Steffi, I knew you would like that touch!   Seriously, glad you enjoyed it. Feel free to expand on it.


      Author's profile photo Pradeep Agarwal
      Pradeep Agarwal

      Awesome Document!! 🙂

      Author's profile photo Matt Pollicove
      Matt Pollicove
      Blog Post Author

      Thanks!  Rates and likes always appreciated!

      Author's profile photo Former Member
      Former Member

      thanks for sharing, matt!

      Author's profile photo Former Member
      Former Member

      On my case, the user MXMC_PROV was locked. After I unlock  the user at Database level everything is OK.