| Return Code | Error Message |
| 0 | No error – successful logon |
| 1 | Incorrect logon data (client / user name / password) |
| 2 | User account is locked |
| 3 | Incorrect logon data; for SAPGUI: connection closed |
| 4 | (Successful) Logon using emergency user SAP* (see SAP Note 2383) |
| 5 | Error when constructing the user buffer (==> possible follow-on error) |
| 6 | User exists only in the central user administration (CUA) |
| 7 | Invalid user type |
| 8 | User account outside validity period |
| 9 | SNC name and specified user/client do not match |
| 10 | Logon requires SNC (Secure Network Communication) |
| 11 | No ABAP user with this SNC name exists in the system |
| 12 | ACL entry for SNC-secured server-server link is missing |
| 13 | No suitable SAP account found for the SNC name |
| 14 | Ambiguous assignment of SNC names to ABAP users |
| 15 | Unencrypted SAP GUI connection refused |
| 16 | Unencrypted RFC connection refused |
| 20 | Logon using logon/assertion ticket is generally deactivated |
| 21 | Syntax error in received logon/assertion ticket or reentrance ticket not valid |
| 22 | Digital signature check for logon/assertion ticket fails |
| 23 | Logon ticket/assertion issuer is not in the ACL table |
| 24 | Logon/assertion ticket is no longer valid |
| 25 | Assertion ticket receiver is not the addressed recipient |
| 26 | Logon/assertion ticket contains no/an empty ABAP user ID |
| 27 | Reauthorization check: ticket does not match current user |
| 28 | Ticket logon denied by security policy |
| 30 | Logon using X.509 certificate is generally deactivated |
| 31 | Syntax error in the received X.509 certificate |
| 32 | X.509 certificate does not originate from the Internet Transaction Server |
| 34 | No suitable ABAP user found for the X.509 certificate |
| 35 | Ambiguous assignment of X.509 certificate to ABAP users |
| 36 | 36 Certificate is older than the date entered as “min. date” (USREXTID) |
| 41 | No suitable ABAP user found for the external ID |
| 42 | Ambiguous assignment of external ID to ABAP users |
| 50 | Password logon was generally deactivated or denied by security policy |
| 51 | Initial password has not been used for too long |
| 52 | User does not have a password |
| 53 | Password lock active (too many failed logons) |
| 54 | Productive password has not been used for too long |
| 60 | SPNego logon denied by security policy |
| 61 | Invalid SPNego token (syntax) |
| 62 | NTLM token received instead of SPNego token |
| 63 | Missing/incorrect Kerberos keytab entry |
| 64 | Invalid SPNego token (time) |
| 65 | SPNego replay attack detected |
| 66 | SPNego: Error when creating the SNC name |
| 67 | SPNego: No suitable SAP account found for the SNC name |
| 68 | SPNego: Ambiguous assignment of SNC names to ABAP users |
| 69 | Reauthentication check: SPNego token does not match current user |
| 100 | Client does not exist |
| 101 | Client is currently locked for logons |
| 102 | External WebSocket RFC communication is not allowed (RFC runtime) |
| 103 | External WebSocket RFC communication requires alias user (RFC runtime) |
| 104 | System is in maintenance mode and locked against logons |
| 110 | Tenant was stopped (runlevel STOPPED) |
| 111 | Tenant cannot be used generally (runlevel ADMIN) |
| 112 | No authorization to log on to the current logon category |
| 120 | Server does not allow logon |
| 121 | No special rights for logon on this server |
| 300-399 | OpenID connect (OIDC) error; see SAP Note 3111813 |
| 1001 | Password is initial/has expired – interactive change required (RFC/ICF) |
| 1002 | Trusted system logon failed (no S_RFCACL authorization) |
| 3000 | Reauthorization check: SAML bearer assertion is not compatible with current user |
| 3001 | Internal SAML bearer assertion verification error |
| 3002 | SAML bearer assertion could not be parsed |
| 3003 | SAML bearer assertion was already used (replay) |
| 3004 | SAML bearer assertion could not be assigned to a user |
| 3005 | Issuer of SAML bearer assertion is not trusted |
| 3006 | NameID format of SAML bearer assertion is not supported |
| 3007 | Signature of SAML bearer assertion is not valid |
| 3008 | SAML bearer assertion is not valid or is no longer valid |
| 3009 | SAML is not activated or SAML bearer assertion provider is not activated |
Explanations for “access” (access types):
| Return Code | Error Message |
| A | Dialog logon (SAP GUI) |
| B | Background processing (batch) |
| C | CPIC |
| F | RFC (as of 4.6C: internal RFC) |
| R | RFC (as of 4.6C: external RFC) |
| I | RFC system call (internal SRFC) |
| S | RFC system call ( [external]* SRFC) – *see SAP Note 2590963 |
| U | User switch (internal call) |
| H | HTTP |
| u | Restore session (ABAP class CL_USERINFO_DATA_BINDING) |
| ” “ | API call (such as SUSR_CHECK_LOGON_DATA) |
| M | SMTP authentication (MTA): Password check |
| P | ABAP push channel (APC)/WebSockets |
| E | Establishment of a shared memory area (internal call) |
| O | AutoABAP (internal call) |
| T | Server startup procedure (internal call) |
| V | SAP start service (internal call) |
| J | Java Virtual Machine (internal call) |
| W | BGRFC watchdog (internal call) |
| G | ABAP Resource Manager (internal call) |
| r | RFC via WebSockets (external) |
Explanations for “auth” (authentication types):
| Return Code | Error Message |
| P | Password-based authentication |
| T | Logon ticket |
| t | Assertion ticket |
| X | Certificate-based logon (X.509 / https) |
| S | SNC (Secure Network Communication) |
| R | Internal RFC or trusted system RFC |
| A | Internal call via background processing for example |
| E | External authentication (PAS / SAML / …) |
| U | Inverse user switch (ABAP class CL_USER_POC) |
| s | HTTP security session |
| 2 | SAML2 |
| 1 | SAML1 |
| o | OAuth2 |
| N | SPNego |
| a | APC session (WebSockets) |
| B | SAML bearer |
| r | Reentrance ticket |
| D | OIDC logon |
| d | OIDC bearer |
