9.7 KiB
9.7 KiB
Troubleshooting Reference
Common issues and solutions for SAP BTP.
Source: https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/60-security
Table of Contents
- Authentication Issues
- Authorization Issues
- Trust Configuration Issues
- Token Issues
- XSUAA Issues
- Cloud Foundry Issues
- Kyma Issues
- Connectivity Issues
- Service Instance Issues
Authentication Issues
Login Screen Shows "SAP HANA XS Advanced"
Cause: Application using wrong login endpoint
Solution:
- Check xs-app.json authentication configuration
- Verify XSUAA service binding
- Ensure correct UAA URL in environment
Identity Provider Could Not Process Authentication Request
Cause: Trust configuration mismatch
Solution:
- Verify trust configuration in subaccount
- Check IdP SAML/OIDC metadata is current
- Ensure certificates are not expired
- Verify assertion consumer service URL
Access Is Denied or Forbidden
Causes:
- Missing role assignments
- Incorrect scope configuration
- User not in required group
Solutions:
- Check user role collection assignments
- Verify application scopes in xs-security.json
- Check IdP group mappings
- Verify trust configuration
AuthnRequest Expired
Cause: Time synchronization issue between IdP and BTP
Solution:
- Sync IdP server time with NTP
- Check for clock skew > 5 minutes
- Verify SAML response timestamps
Authorization Issues
Cannot Add Role Templates to Predefined Role Collections
Cause: Predefined role collections are immutable
Solution:
- Create custom role collection
- Add desired role templates
- Assign custom role collection to users
User Has Role But Still Gets 403
Causes:
- Scope not checked in application
- Cache not refreshed
- Wrong role collection assigned
Solutions:
- Verify application checks correct scope
- Clear browser cache, re-login
- Check role collection contains required roles
- Verify role template references correct scopes
Missing Administrator Access
Cause: No administrator assigned to account
Solutions:
- Contact SAP support if locked out
- Use emergency administrator in default IdP
- Check SAP ID Service access
Trust Configuration Issues
409 Error When Deleting Custom Identity Provider
Cause: Trust configuration still in use
Solution:
- Remove all user assignments from this IdP
- Delete shadow users from this IdP origin
- Then delete trust configuration
Subdomain Does Not Map to Valid Identity Zone
Cause: Invalid or non-existent subaccount subdomain
Solutions:
- Verify subdomain in subaccount settings
- Check UAA URL format
- Ensure subaccount exists and is active
IAS Application Reference Not Created
Cause: Identity Authentication tenant issue
Solutions:
- Verify Identity Authentication subscription
- Check trust configuration status
- Re-establish trust if needed
Trust Establishment Issues
Common causes:
- Expired certificates
- Incorrect metadata
- Network issues
Solutions:
- Re-download IdP metadata
- Update trust configuration
- Verify network connectivity to IdP
Token Issues
400 Error: OAuth Token Call Not Successful
Causes:
- Invalid client credentials
- Wrong token endpoint
- Expired client secret
Solutions:
- Verify client ID and secret
- Check token service URL
- Regenerate service key if needed
Token Retrieval Fails with 401
Causes:
- Invalid credentials
- Token expired
- Wrong authentication method
Solutions:
- Check client credentials in service binding
- Verify token not expired
- Use correct grant type
Invalid Redirect URI
Cause: Callback URL not registered in XSUAA
Solution:
- Add redirect URI to xs-security.json:
{
"oauth2-configuration": {
"redirect-uris": [
"[https://myapp.cfapps.eu10.hana.ondemand.com/**"](https://myapp.cfapps.eu10.hana.ondemand.com/**")
]
}
}
- Update service instance
- Restage application
XSUAA Issues
No Client with Requested ID
Cause: Service instance not found or wrong client ID
Solutions:
- Verify XSUAA service instance exists
- Check VCAP_SERVICES for correct credentials
- Ensure binding is active
XSUAA Limits Exceeded
Limits:
- 100 role templates per application
- 100 scopes per application
- 50 attributes per application
Solution: Consolidate roles and scopes
Sharing Service Instance Issues
Solutions:
- Verify instance supports sharing
- Check cross-subaccount trust
- Use service instance sharing API
Cloud Foundry Issues
Application Won't Start
Common causes:
- Out of memory
- Port binding issues
- Missing dependencies
- Buildpack errors
Debugging:
# View logs
cf logs my-app --recent
# Check events
cf events my-app
# SSH for debugging
cf ssh my-app
Service Binding Failed
Causes:
- Service not available in space
- Quota exceeded
- Service broker error
Solutions:
- Check marketplace availability
- Verify quota assignments
- Check service broker status
Requested Route Does Not Exist
Causes:
- Route not mapped
- Application stopped
- Wrong domain
Solutions:
- Map route:
cf map-route my-app cfapps.eu10.hana.ondemand.com -n my-hostname - Start application
- Verify domain is correct
Push Fails with Timeout
Solutions:
- Increase timeout:
cf push -t 180 - Check buildpack compatibility
- Reduce application size
- Check staging logs
Kyma Issues
Pod Not Starting
Debugging:
# Check pod status
kubectl describe pod <pod-name> -n <namespace>
# View events
kubectl get events -n <namespace> --sort-by='.lastTimestamp'
# Check logs
kubectl logs <pod-name> -n <namespace>
Common causes:
- Image pull errors
- Resource limits
- Configuration errors
Service Binding Not Working (BTP Operator)
Causes:
- BTP Operator module not installed
- Incorrect service instance name
- Namespace issues
Solutions:
- Verify BTP Operator module enabled
- Check ServiceInstance status
- Verify namespace labels
API Rule Not Working
Debugging:
kubectl get apirules -n <namespace>
kubectl describe apirule <name> -n <namespace>
Common causes:
- Wrong host configuration
- Authentication configuration issues
- Istio gateway issues
Connectivity Issues
Destination Not Found
Causes:
- Destination not created
- Wrong destination name
- Missing binding
Solutions:
- Create destination in subaccount
- Verify exact name match
- Bind destination service to app
Cloud Connector Not Connected
Causes:
- Network issues
- Certificate expired
- Configuration error
Solutions:
- Check Cloud Connector status
- Verify certificates
- Check firewall rules
- Review Cloud Connector logs
Principal Propagation Failing
Causes:
- Trust not configured
- Certificate mapping incorrect
- Backend system configuration
Solutions:
- Verify trust chain complete
- Check certificate subject mapping
- Configure backend for SSO
Service Instance Issues
Instance Creation Failed
Common causes:
- Quota exceeded
- Invalid parameters
- Service plan unavailable
Debugging:
# CF CLI
cf service my-service
# Check marketplace
cf marketplace -e <service>
Extension Service Instance Failed
For S/4HANA Extensibility:
- Verify system registration complete
- Check communication arrangement syntax
- Verify entitlements assigned
For SuccessFactors Extensibility:
- Verify system registration
- Check technical user credentials
- Verify SSO configuration if used
Debugging Commands
Cloud Foundry
# Application info
cf app my-app
cf env my-app
# Logs
cf logs my-app --recent
cf logs my-app
# Events
cf events my-app
# SSH
cf ssh my-app
cf ssh my-app -c "cat /proc/meminfo"
# Services
cf services
cf service my-service
Kyma/Kubernetes
# Pod debugging
kubectl get pods -n <ns>
kubectl describe pod <pod> -n <ns>
kubectl logs <pod> -n <ns>
kubectl exec -it <pod> -n <ns> -- /bin/sh
# Service debugging
kubectl get svc -n <ns>
kubectl describe svc <svc> -n <ns>
# Events
kubectl get events -n <ns> --sort-by='.lastTimestamp'
# Resource status
kubectl get all -n <ns>
Token Debugging
# Decode JWT
echo "<token>" | cut -d. -f2 | base64 -d | jq
# Test token endpoint
curl -X POST "[https://<uaa-url>/oauth/token"](https://<uaa-url>/oauth/token") \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-u "client_id:client_secret"
Related Documentation
- Security Troubleshooting: https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/60-security/troubleshooting-for-sap-authorization-and-trust-management-service-c33d777.md
- Extensions Troubleshooting: https://github.com/SAP-docs/sap-btp-cloud-platform/blob/main/docs/40-extensions/troubleshooting-for-sap-s-4hana-cloud-extensibility-service-3725f59.md
- Getting Support: https://github.com/SAP-docs/sap-btp-cloud-platform/tree/main/docs/70-getting-support