Setting up a trusted RFC connection

All in all it’s not that hard but it’s like that with a lot of configurations and setups, you just have to know how to do it properly and it will cause less issues.
After you have set up a trust connection from AA1 to BB1 for example, you can access BB1 through AA1 without having to login again, given your username exists on both sides and you have sufficient authorizations.
In transaction SM59 you need to define a RFC connection towards the target system you want to enable as trusted in your source system.

For example:
On your source SAP system AA1 you want to setup a trusted RFC towards target system BB1. When it is done it would mean that when you are logged onto AA1 and your user has enough authorization in BB1, you can use the RFC connection and logon to BB1 without having to re-enter user and password .

In transaction SM59 on AA1 define an R3 type RFC connection(connection type 3) towards BB1.
Maintain the ‘Technical Settings’ tab

Next go to the ‘Logon & Security’ tab
Fill in details for logon



Choose the right option in ‘MDMP & Unicode’ (is your target Unicode yes or no).



We assume BB1 is Unicode in this example as it will be like that for most SAP system with a recent release level.

Now you can first test this RFC connection to see if it works, if you run into problems you need to fix them before continuing.
This can be done using ‘Utilities -> Connection Test’, ‘Utilities -> Authorization Test’ and ‘Utilities -> Unicode Test’



Now the R3 RFC connection is made, we can continue to the next step. Go to transaction SMT1 and click the create button



Fill in the previously created RFC connection name and click OK.




Now click the Maintain Destination button



This will take you back into SM59 destination BB1CLNT100

Change the Trusted System option to yes in the ‘Logon & Security’ tab and click Yes.

Remove the user from the logon and select ‘Current User’.



Result in SM59 destination BB1CLNT100
Setting the trusted system to yes and so on can be done directly when creating the RFC connection in SM59 but maintaining the destination when creating the entry in SMT1 avoids more issues in my opinion (you already know up front the connection itself works when you enter SMT1).

Save the RFC connection
Now you have a trusted RFC connection. The current user flag checked means that the RFC connection will use the user-id of the person who is logged on and wants to use the RFC connection. This is for security reasons, you should not fill in a user/pass in a trusted RFC connection as it can be abused by other users that way.
The necessary authorization to actually use this RFC connection has to be set in the target SAP system BB1 and of course in the client where the RFC is pointing to (client 100 in this example). Object S_RFCACL is the authorization object which needs to be maintained in BB1 client 100 for the user-ids that have to be able to use the trusted RFC connection from AA1 to BB1 client 100.

The specifics for S_RFCACL depend on the SAP release version. For this a SAP note exists which has details on what should be set:
Note 128447 – Trusted/trusting systems (Login required to SAP Service portal!)

Once you have created your trusted RFC you should also see BB1 in transaction SMT1 on SAP system AA1 and AA1 in transaction SMT2 (trusting SAP systems) on SAP system BB1.
You can repeat the steps (switch AA1 and BB1) to configure a trusted RFC connection from BB1 to AA1 if wanted.

Error in establishing Trust Relation between two systems
If below error occurs while configuring trust system relation between two systems

SMT1– Authorization Check button
Error Details Error when opening an RFC connection (LB: Hostname or service of the message ser
SMT2–Authorization Check button
Error Details Error when opening an RFC connection (LB: Hostname or service of the message ser

Instead all the RFC destinations are successful and the default RFC destinations:
TRUSTING@<sid>_<inst. no.>
TRUSTING@<sid>_<inst. no.> are failing with below error
Logon Connection Error
Error Details Error when opening an RFC connection (LB: Hostname or service of the message ser
Error Details ERROR: service ‘?’ unknown
Error Details LOCATION: SAP-Server xxxxxxxxxx_<sid>_<nr> on host xxxxxxxx (wp 1)
Error Details DETAIL: NiErrSet
Error Details COMPONENT: NI (network interface)
Error Details COUNTER: 4
Error Details MODULE:
Error Details LINE:
Error Details RETURN CODE: -3
Error Details SUBRC: 0
Error Details RELEASE: 720
Error Details TIME: Fri Jan 03 19:38:59 2014
Error Details VERSION: 40

Maintain sapms<SID> <port no.>/tcp in source and target system for each other.
That is defined in the ‘service’ file which is under the folder ‘C:\Windows\System32\drivers\etc’ for Windows.