JCO_ERROR_LOGON_FAILURE System received an expired SSO ticket

Users receive Intermittent error "JCO_ERROR_LOGON_FAILURE: System received an expired SSO ticket on [system] mshost {message server or app server] 

Other errors in the log include com.sap.conn.jco.JCoException, RFC_SYS_EXCEPTION(3), error group: 103, key: RFC_ERROR_LOGON_FAILURE, key: RFC_ERROR_SYSTEM_FAILURE

Solution

The error message JCO_ERROR_LOGON_FAILURE: When a system receives an expired Single Sign-On (SSO) ticket, it means that the SAP Java Connector (JCo) was used to try a login to an SAP system. This is how you can fix the problem:

1. Verify SSO Configuration

Check that the Single Sign-On (SSO) configuration is correct between the systems:

• Ensure that the SSO tickets are being generated correctly by the issuing system (e.g., SAP Portal or other authentication services).
• Confirm that the receiving SAP system (the one reporting the error) is correctly configured to accept SSO tickets.

2. Check Ticket Expiration Time

The error might occur if the SSO ticket expires before being used. To troubleshoot this:

• Verify the validity period of the SSO ticket in the issuing system (e.g., SAP Enterprise Portal).
  • You can usually adjust the ticket expiration time in the system’s security settings, for example in the SAP NetWeaver or SAP AS Java configurations.
  • Check that the ticket expiration time is long enough to cover the entire process (issuance and validation).

3. Reissue a New SSO Ticket

In some cases, simply generating a new SSO ticket might resolve the issue:

• Clear browser cookies if accessing the system through a web interface. This can force the system to issue a new SSO ticket upon the next login attempt.
• Alternatively, use a different user session to generate a fresh SSO ticket and try again.

4. Synchronize System Clocks

SSO mechanisms are sensitive to time discrepancies between systems:

• Ensure that the system clocks on all servers involved (ticket issuer and the SAP system) are synchronized. Use Network Time Protocol (NTP) to maintain accurate time settings.
• A significant time difference between the systems might cause an otherwise valid SSO ticket to appear expired.

5. Check Logon Groups and SNC Settings

If you are using Secure Network Communications (SNC) in your SSO setup:

• Verify that the SNC configuration is correct, and the SNC library is functioning properly.
• Make sure that the logon groups used for the connection are correctly defined.

6. SAP JCo Configuration

Please check the following If you are using SAP JCo (Java Connector) to connect:

• Make sure that SAP JCo is correctly configured to use the SSO mechanism.
• Verify that the destination settings in JCo (e.g., jco.client.sso_ticket) point to the right values, and there are no session management issues.

7. Check System and Application Logs

Examine the SAP system logs (using transaction codes such as SM21, ST22, or SCC3) to learn more about the reasons behind the rejection or expiration marking of the SSO ticket. This may offer particulars regarding the unsuccessful logon attempt.

You should be able to fix the JCO_ERROR_LOGON_FAILURE issue associated with an expired SSO ticket by looking over these areas and taking care of any potential misconfigurations or expired tickets.