Practical tip: How you can easily prevent your SAP users from being inadvertently locked out.

The parameter “icf/reject_expired_passwords” is intended to prevent SAP users from being able to log in via “http” with an expired password. So far so good…

Unfortunately, SAP has changed the function of the parameter in different SAP releases.

Contrary to expectations, the parameter not only prevents logging in with an expired password, but also with the initial password when value = 1 in the current SAP 7.x systems! This means that users cannot change their passwords when logging in for the first time. This is particularly interesting in Web scenarios like SRM (Supplier Relationship Management).

SAP has now realized that this needs to be remedied and has provided a relevant patch: https://launchpad.support.sap.com/#/notes/2503404

After applying the patch, you can change your password when you log in for the first time.

Ralf Kempf
Technical Managing Director “SAST SOLUTIONS” at AKQUINET

Are you looking forward to further tips and recommendations in the field of SAP Security & Compliance? Then use the opportunity to exchange with us, for example, in one of our webinars.