2021-11-26 2483210

2483210 - HTTP 500 error occurs when calling SAPGUI

transactions - the call is stuck in the
/sap/public/myssocntl service
SAP Knowledge Base
Version 18 Type
Article
Master
Language English English
Language
Release
Released to Customer Category Problem
Status
BC-MID-ICF (Internet Communication
Component Released On 06.04.2021
Framework)

Please find the original document at https://launchpad.support.sap.com/#/notes/2483210

Symptom

When calling SAPGUI transactions that open the application in a browser window, an HTTP 500 error (or in
earlier releases, a blank page) is displayed in the browser. The application is not loaded, and the browser's
address bar does not show the expected application URL. Instead, the address bar shows a URL like
http(s)://<host>:<port>/sap/public/myssocntl?sap-client=<client>. This may give the impression to the end
user, that an "incorrect" URL is generated.

In the corresponding dev_icf* traces (visible in the transaction ST11), one of the below errors is logged:

<ErrorInfo URL="http(s)://<host>:<port>/sap/public/myssocntl">
<ErrorMessage>Ticket-Anmeldung fehlgeschlagen - siehe Trace (Hinweis 495911)</ErrorMessage>

or

<ErrorInfo URL="http(s)://<host>:<port>/sap/public/myssocntl">
<ErrorMessage>Es wurde kein Ticket per Header empfangen.</ErrorMessage>

or

<ErrorInfo URL="http(s)://<host>:<port>/sap/public/myssocntl">
<ErrorMessage>Message E00001 Cannot be processed in plugin mode HTTP(S)</ErrorMessage>

Affected transactions are for example: SOAMANAGER, NWBC, BRF+, SM_WORKCENTER,

SOLMAN_SETUP, DBACOCKPIT, etc.

Note: This current KBA is only relevant if:

1. The browser call fails in the service /sap/public/myssocntl

AND

2. The error returned is HTTP 500 Internal Server Error or a blank page without any error message. The
current KBA is only relevant if the call actually reaches the /sap/public/myssocntl service and it responds with
HTTP 500 or a blank page. If the call terminates with errors like "This page can't be displayed",
INET_E_RESOURCE_NOT_FOUND etc., that indicates that the request does not reach the ABAP system,
and the issue should be checked by the local network team.

© 2021 SAP SE or an SAP affiliate company. All rights reserved 1 of 6

2021-11-26 2483210

AND

3. One of the above error messages are logged in the dev_icf* traces. For the error message "Message
E00001 Cannot be processed...", decisive is the part E 00 001 which shows the message type, class and
number. For other error messages like "Message E WEBDYNPRO_RT 023 cannot be processed...", this
KBA is not relevant - please check the KBA 2993748 for details.

Environment

• SAP NetWeaver
• SAP Web Application Server for SAP S/4HANA

Reproducing the Issue

Call the transactions SOAMANAGER, NWBC, SM_WORKCENTER, SOLMAN_SETUP, DBACOCKPIT, etc.

Cause

• The affected transactions call the /sap/public/myssocntl service, which will generate the MYSAPSSO2
cookie (logon ticket), based on the SSO header provided by the ABAP backend. The logon ticket is
then used to authenticate the application in the browser, so that the end user (who is already logged on
to the backend) does not have to provide logon details again in the browser. Normally, calling the
myssocntl service is not visible for the end user, because after creating the logon ticket, the service will
immediately forward the call to the application URL. The browser getting stuck in the myssocntl service
indicates, that the creation of the logon ticket has failed.
• Note: When testing the service /sap/public/myssocntl itself from the transaction SICF, the HTTP 500
error (or a blank screen) is the normal and expected result. The same applies when copy-pasting the
URL http(s)://<host>:<port>/sap/public/myssocntl directly into a browser. In these cases, no SSO
header is provided, so the service is expected to respond with an HTTP 500 error.

Resolution

As a possible workaround, you can deactive the ICF service /sap/public/myssocntl in the transaction SICF.
This can be done in the SICF tree structure, via Right Click / Deactivate Service. As a result, a logon screen
will be displayed in the browser, instead of the HTTP 500 error (or blank screen). After entering the logon
details, the application can be accessed. Note: While this workaround is valid for some applications, it may
not work if the application is only expected to work with SSO authentication.

Another possible workaround is calling the application URL directly in the browser, instead of using the
SAPGUI transaction. For example, add the below application paths to your http(s)://<host>:<port> value:

• SM_WORKCENTER - /sap/bc/webdynpro/sap/ags_workcenter or /sap/bc/ui2/flp (depending on

release)
• SOLMAN_SETUP - /sap/bc/webdynpro/sap/wd_sise_main_app
• USMM - /sap/bc/webdynpro/sap/law3_wd_slat_main
• SOAMANAGER - /sap/bc/webdynpro/sap/appl_soap_management
• BRF+ - /sap/bc/webdynpro/sap/fdt_wd_workbench
• LTMC - /sap/bc/webdynpro/sap/dmc_wda?WDCONFIGURATIONID=DMC_WDA_APP
• ESH_COCKPIT - /sap/bc/webdynpro/sap/esh_admin_ui_component

If the application URL is unknown, then it can be obtained from the HTTP header sap-mysapred provided in
the failing HTTP call.

© 2021 SAP SE or an SAP affiliate company. All rights reserved 2 of 6

2021-11-26 2483210

To resolve the issue, go through the below checklist:

1. Are you getting a certificate error when the browser window is displayed?

• If No, proceed to the next point.

• If Yes, the certificate error (" There is a problem with this website's security certificate ") needs to
be avoided. Certificate errors strip off the SSO header from the request, so the myssocntl service will
have no SSO data to work with. The most common root cause is that a self signed certificate is used.
See the KBA 2339387 for details. As a workaround, you can use HTTP protocol instead of HTTPS -
the certificate error will probably not occur when using HTTP. See point 3. below.

2. What is the user type of the user that calls the transaction? This can be checked in the transaction SU01,
on the tab Logon Data. If it is a Service user, then test the behavior with a Dialog user. Also, check the value
of the parameter login/create_sso2_ticket as described in the SAP Note 2694092.

3. Is the scenario expected to use HTTPS protocol?

This is the case if at least one of the below points is true:

• The parameter login/ticket_only_by_https has the value 1. In this case, logon tickets will only
be sent via HTTPS protocol.
• In the SICF detail view of the relevant service, the radiobutton SSL is set on the tab Logon Data,
in the section Security Requirement. The relevant ICF service can be determined from the
application URL - for example, for the transaction SOAMANAGER, the application URL is
http(s)://<host>:<port>/sap/bc/webdynpro/sap/APPL_SOAP_MANAGEMENT, and the relevant
service is /sap/bc/webdynpro/sap/APPL_SOAP_MANAGEMENT. If you are not sure what is the
application URL, then temporarily deactive the ICF service /sap/public/myssocntl, and call the
transaction again - then, the browser's address bar will show the application URL.
• The table HTTPURLLOC contains only entries with HTTPS protocol. See also point 6. below.

• If None of the above points is true, proceed to point 5.

• If Yes, make sure that you have a valid HTTPS service configured in the system. This can be checked
in the transaction SMICM, in the menu item Goto / Services. An HTTPS service must be configured
here with a valid port (other than 0), and the Active flag must be set for the service. For further
information about changing services in transaction SMICM, read the Online Documentation: Displaying
and Changing Services.

4. Are you using an SAP Web Dispatcher in the scenario?

• If No, proceed to the next point.

• If Yes, make sure that the Web Dispatcher does not terminate the HTTPS connection - check the
parameter wdisp/ssl_encrypt in the Web Dispatcher profile. Per default (parameter value 0), the Web
Dispatcher switches over from HTTPS to HTTP, and this will cause the above symptom, if the service
is configured to use HTTPS, or if there is no HTTP service configured in the system. Note: This
protocol switch will not be visible in the browser - the address bar will still show HTTPS protocol.

5. Do you have a valid HTTP service configured in the system? This can be checked in the transaction
SMICM, in the menu item Goto / Services. An HTTP service must be configured here with a valid server port
(other than 0), and the Active flag must be set for the service. Note: This point does not apply to systems
using an HTTPS only setup. For further information about changing services in transaction SMICM, read the
Online Documentation: Displaying and Changing Services.

6. Is the table HTTPURLLOC maintained in the system?

• If No, proceed to the next point.

© 2021 SAP SE or an SAP affiliate company. All rights reserved 3 of 6

2021-11-26 2483210

• If Yes, make sure that the table HTTPURLLOC contains host and port entries that are valid in the
current system. Crosscheck the port numbers maintained in HTTPURLLOC with the port numbers in
SMICM / Goto / Services. Similarly, the host name in HTTPURLLOC must match the host name used
by the application server or the Web Dispatcher. Also, make sure that the protocol in the relevant
HTTPURLLOC entry matches the security requirement on the Logon Data tab of the relevant SICF
service (HTTP protocol for Standard requirement, and HTTPS protocol for SSL requirement). See this
Wiki article for details.

7. Are the ABAP and Kernel times in sync on your application servers? This can be checked with the report
RSDBTIME - the entries "Date and Time of R/3-Kernel" and "Date and Time of ABAP-Processor" must show
the same value. This is a prerequisite for a successful Logon Ticket validation.

8. Are you using a Fully Qualified Host Name (FQHN) to access your application? The host part of the URL
must contain an FQHN (hostname complete with domain), which can be successfully resolved in your
network environment. Access with IP addresses, or with host names without a domain will not work properly,
as the session cookies need valid domain information to work with. The application server must have a valid
FQHN, and also the table HTTPURLLOC (if used, see point 6.) must have entries with FQHNs. See the SAP
Notes 654982 and 773830 for details.

9. Does the transaction SSO2 show logon ticket related errors? To check this, execute the transaction SSO2
for the destination NONE, and check the output for any red lights. If there are errors reported, then check
your SSO configuration as explained in the SAP Note 701205.

10. Are you using the expected browser?

• In SAPGUI release 7.60 and lower, the expected browser for SSO enabled web transactions is MS
Internet Explorer. If the IE browser forwards the transaction call to another browser (typically Edge),
then the SSO process is disrupted and the above described error occurs. This call forwarding needs to
be prevented from browser side, for example with the Edge setting "Let Internet Explorer open sites in
Microsoft Edge" = "Never".
• Using the MS Edge browser for SSO enabled web transactions is supported as of SAPGUI release
7.70, in which the option is provided that the SAPGUI opens transactions in Edge instead of IE. See
the SAP Note 2913405 for details.

11. Does your UCON Allowlist / HTTP_WHITELIST configuration allow SSO redirects? When using SSO
enabled web transactions, the service /sap/public/myssocnt calls the application service with an HTTP
redirect. If this redirect is blocked by an allowlist check, then the above described HTTP 500 error will occur.

• When using the UCON Allowlist, check the context type Trusted Network Zone in the transaction
UCON_CHW. If this context type is in Active Check mode, and the attempted redirect is not allowed by
the allowlist (for example, the allowlist in empty), then the above error will occur. To fix this, either the
check can be deactivated by selecting the Logging mode, or the necessary allowlist entries can be
added.
• When using the table HTTP_WHITELIST, check for entries with the entry type 20 or 21. If such an
entry is present, then the check is active for logon / logoff redirects. If the attempted redirect is not
covered by any entry, then the above error will occur. To fix this, either the check can be deactivated
by deleting all HTTP_WHITELIST entries with the entry type 20 / 21, or further entries can be added to
allow the redirect.

If none of the above points help, then create a Customer Incident with the component BC-MID-ICF. In this
incident, include the answer to ALL the points above.

See Also

© 2021 SAP SE or an SAP affiliate company. All rights reserved 4 of 6

2021-11-26 2483210

• KBA 2460180 - SSO failed in transaction NWBC, SOAMANAGER, SOLMAN_SETUP,

SM_WORKCENTER, DBACockpit etc.
• KBA 2704178 - The error HTTP 500 Redirect is not possible occurs in /sap/public/myssocntl or in
/sap/public/bc/icf/logoff
• KBA 2339387 - Warning There is a problem with this websites security certificate when accessing AS
ABAP via HTTPS URL
• SAP Note 2694092 - HTTP error 500 from myssocntl service
• SAP Note 654982 - URL requirements due to Internet standards
• SAP Note 773830 - FQHN determination in ICM
• SAP Note 701205 - Single Sign-On using SAP Logon Tickets
• SAP Note 2913405 - SAP GUI for Windows: Dependencies to browsers / browser controls

Keywords

ESH_COCKPIT , BRF+, SAP Web Dispatcher , HTTPS , Active , Inactive , HTTP , SICF, Service , Services,
500 SAP Internal Server Error, white screen, white page, Es wurde kein Ticket per Header empfangen.,
Ticket-Anmeldung fehlgeschlagen - siehe Trace (Hinweis 495911)

Products

SAP NetWeaver all versions

SAP Web Application Server for SAP S/4HANA all versions

Other Components

Component Description

BC-MID-ICF-LGN ICF System Login

This document refers to

SAP
Title
Note/KBA

2993748 Message cannot be processed in plugin mode HTTP(S)

The error HTTP 500 "Redirect is not possible" occurs in /sap/public/myssocntl or in

2704178
/sap/public/bc/icf/logoff

SSO failed in transaction NWBC, SOAMANAGER, SOLMAN_SETUP, SM_WORKCENTER,

2460180
DBACockpit etc.

2339387 Warning "There is a problem with this website's security certificate" when accessing AS ABAP via

© 2021 SAP SE or an SAP affiliate company. All rights reserved 5 of 6

2021-11-26 2483210
HTTPS URL

773830 FQHN determination in ICM

701205 Single Sign-On using SAP Logon Tickets

654982 URL requirements due to Internet standards

2913405 SAP GUI for Windows: Dependencies to browsers / browser controls

2694092 HTTP error 500 from myssocntl service

Displaying and Changing Services

How to maintain the table HTTPURLLOC?

Blank browser screen is displayed, call is stuck in the myssocntl service

Terms of use | Copyright | Trademark | Legal Disclosure | Privacy

© 2021 SAP SE or an SAP affiliate company. All rights reserved 6 of 6