I am starting today a new blog series about how to use the logon trace created via SM50 to resolve logon-based issues. I will use the logon trace to analyze password issues, issues with SSO based on logon tickets and issues with SSO based on X.509 client certificates.
The basics is how to configure the SM50 logon trace. Probably you might know SAP note 495911, which tells about SM20 and SM50 logon traces, but sometimes the SM50 settings are not correctly used, making the trace unfriendly (more than the usual!) – looking for a needle in the haystack.
Enabling the trace
It is quite simple enabling the trace: the first step is execute transaction code SM50.
It might be worthy if you can truncate the trace files – so you can have only Security-related events recorded: access menu Administration -> Trace -> Reset -> Work Process Files:
Confirm the popup.
Now, to activate the logon trace, access menu Administration -> Trace -> Active Components:
For those that like a good keyboard shortcut: Ctrl+Shift+F7 do the trick!
Now write “2” as Trace level value, write “DIA” for the WpType and select only “Security” in the Components section. You probably will find “Taskhandler” and “VM Container” checked: uncheck both. As a result, you should see a screen like:
Finally, save the settings.
You will note that the SM50 screen changed, i.e. the color of the rows for DIA work processes is now yellow:
Important… As the system might have more than one application server, the setting must be performed in all of them. You can switch among the app servers via SM51, just double clicking on a specific instance name:
If you can isolate the issue to a specific app server, then you are already good to go.
Finally, you can reproduce the issue. All the information are recorded in dev_wXX trace files. These files can be viewed via transaction code ST11.
Disabling the trace
Assuming that you have reproduced the logon issue, collected the necessary trace files, now it is time to reset the settings in SM50.
Access menu Administration -> Trace -> Active Components and have the settings like this:
After you saved the settings, the SM50 screen is back to normal (no more yellow rows):
If you changed the settings in more than one application server, you need to perform the same steps in the affected app servers.
You have the trace you need in your hands. If you still see entries not related to security in the trace file, then you might want to split the information using a tool like this. Now it is time to analyze the traces and find the reason for the issue and the solution for it. I will present, in my next blogs, at least three examples where the SM50 logon trace is invaluable.
If your logon issue happens in background processing, then you need to select all the WpType. In this case, use F5 to select all the work processes before call the Active Components window – then leave the WpType input field blank.
Important SAP notes: