Firstly, I don't understand why you are using an RFC/BAPI for authentication when there are inbuilt security features in SUP.
| • | LDAP Security Provider |
(Not applicable to Online Data Proxy) The LDAP security provider includes authentication, attribution, and authorization providers. Add an LDAP provider to a security configuration to authenticate administrator logins (on the "admin' security configuration on the "default" domain) or device user logins (any custom security configuration for that purpose).
| • | NTProxy Security Provider |
(Not applicable to Online Data Proxy) NTProxy — sometimes known as native Windows login — is an Unwired Server provider that integrates with existing Windows login security mechanisms. Add an LDAP provider to a security configuration to authenticate administrator logins (on the "admin" security configuration on the "default" domain) or device user logins (any custom security configuration for that purpose).
| • | SAP SSO Token Security Provider |
The SAPSSOTokenLoginModule has been deprecated and will be removed in a future release. Use HttpAuthenticationLoginModule for SAP SSO2 token authentication.
| • | Certificate Security Provider |
Use the Unwired Server CertificateAuthenticationLoginModule authentication provider to implement SSO with an SAP enterprise information system (EIS) with X.509 certificates.
| • | HTTP Authentication Security Provider |
Use HttpAuthenticationLoginModule provider to use Basic authentication to enable automatic application registration. This provider is required when registration is set to automatic. It can also be used to enable SSO into SAP servers in place of the deprecated SAPSSOTokenLoginModule.
Ref:
In the production system you need to use any of the above. After configuring this in SCC the MBO package has to deployed to the newly created security (instead of admin) hence you can authenticate against SAP server through tokens.
Finally, When you are giving wrong input to the RFC/BAPI the RFC fails to execute. That result in error in the SUP. What you can do is if the credentials re correct send a flag "1" else "0" hence you can manage this situation.