If an ICF service issues the error HTTP 403, the most common root causes are:
- The affected ICF service, or one of its parent nodes is "Inactive" in the transaction SICF. This can be checked in the detail view of the service - next to the Service Name field, the service is either marked as "Active" or "Inactive". Make sure to check the parent nodes also (e.g. /sap/bc and /sap), including the top level node (usually default_host). If any of these nodes is "Inactive", then it can be activated from the SICF tree structure, using Right Click / Activate.
- An authentication error occurs. Normally, such errors cause HTTP 401 "Unauthorized" errors in the browser, but in some scenarios (e.g. failing SSO logon), an HTTP 403 error may be returned.
- The affected ICF service is trying to access some files on OS level, and this access is refused - possibly due to missing authorizations on OS level.
- The affected ICF service has SSL requirement (set on the SICF tab Logon Data) and it is accessed via plain HTTP protocol. Services with SSL requirement are expected to use HTTPS protocol. Connection via plain HTTP will be refused with a 403 Forbidden error.