cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ADS and Windows Integrated Authentication

Go to solution
Former Member

on ‎08-09-2006 10:28 AM

0 Kudos

Dear All,

i have a question according to Windows Integrated Authentication.

Is it possible to use Kerberos Authenication using UME where user data are stored and MS ADS only for authentication issue?

How the users should be mapped as the userID in the Portal and the IDs in ADS are different?

What UME modification has to be done?

Is the Weblog "kerberos implementation with ADS made easy"

right information for that?

Thank you for help!

Regads,

Karol

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎08-10-2006 1:51 AM
0 Kudos

Hi Karol,

Generally, from the implementations that I have worked on, the strategy is to use the traditional existing user management data source, which would be the MS-ADS, or the eDirectory, or the LDAP, etc... some customers are even heading in the direction of identity management which involves the synchronizing of the corp. datasource with the ABAP data source (through a schema change/proposal). In this case everything leverages the ADS.

The general idea is to have a unified user management datasource, for all applications to leverage; not to have to worry about synching the data across systems. There are some great documents on this <a href="http://service.sap.com/security">on this SMP site</a>. Click on "Security in Detail" => "Secure User Access" => "Identity Management".

But that is really more of a strategy. If you head in the right direction in the first place - you can be on the right track for a strategy of a unified user data store.

This is why I said - the same ID's are assumed between the ADS and the portal... as the portal would use the ADS directly and not replicate them into the J2EE UME.

As for the email address for the user ID... I have not heard of this, but I bet that there is a way to map this information - but so complicated.

With what I can determine of your needs, I would have though you would:

- use read-only (or read/write) ADS + DB

- use the same ID or userMapped for the backend

- if the same ID in the backend, do SSO with logon tickets

- use Kerberos to access the portal

- if you have a public "type" of scenario, you can configure a separate location in the ADS for self-reg or otherwise.

This would be the simplest way to integrate, but if you are using email ID's - I am at a loss...

Is there anyone else who can offer more info? Maybe that uses email addi's as ID's?

Note: I figure this will cause some problems if you have to use prefixbased mode with Kerberos - as the module calculates the ID based on the "/" and the "@" symbols in the KPN. Dunno what would happen with the @ symbol in the email address.

Sorry - I am all out.

Regards,

Judson

Show replies
Show replies

Answers (2)

Answers (2)

Former Member
‎08-09-2006 12:52 PM
0 Kudos

Hi Karol,

I am confused with your different ID's (ADS and J2EE??)...

Otherwise, it sounds very vanilla, where you have the ADS + J2EE-DB for the datasource and you use a fall-back configuration for the authentication (logon stack - "ticket") so that if Kerberos is not available (i.e. user is not in the ADS, only in the J2EE DB) then it will give them the form-based logon. Less the fall-back authentication mechanism - that is exactly what I recommended

Beware: that you may have to have different security settings in the IE browser to allow fallback to properly work. I have seen where it will allow fallback to the form-based but would not verify credentials even though they are legitimate.

Oh, and "yes" the "Kerberos Made Easy" is a great start at the configuration.

Sorry I could not be of more help,

Good luck!

Judson

Show replies
Show replies
Former Member
‎08-09-2006 1:04 PM
0 Kudos

Hi Judson,

well.. in the Portal we have different user IDs from that saved in ADS.

For the integration the same IDs in the systems are asumed? As the user ID in the portal is e-mail address, could be that user ID mapped to the attribute e-mai-address from ADS?

Thanks for help!

Karol

Former Member
‎08-09-2006 12:20 PM
0 Kudos

Hi Karol,

There are two main areas here, one is the UME datasource and the other is the authentication mechanism.

If you have the portal using the ADS as the UME datasource you already have the same user ID and passwords. This is the case whether or not you have configured any special authentication or if you leave the default (which is form-based). The portal can be configured with an isolated UME datasource but if you are integrating with the corporate environments - it's usually one of them.

<a href="http://help.sap.com/saphelp_nw04/helpdata/en/7e/a2d475e5384335a2b1b2d80e1a3a20/frameset.htm">Here is a link to the documentation on UME and Data Sources</a>

Once you have that set up and you want to change the default form-based authentication mechanism - you can configure <a href="http://help.sap.com/saphelp_nw04/helpdata/en/43/4bd58c6c5e5f34e10000000a1553f6/frameset.htm">Single Sign-On for Kerberos</a>

There are some configuration steps and they are listed there.

Q: "Is it possible to use Kerberos Authenication using UME where user data are stored and MS ADS only for authentication issue?"

A: The ADS is for authentication and group/role assignment. If the users are stored in the ADS for authentication "only" where would the groups/roles be assigned? Normally, you would authenticate and assign groups/roles in the UME data source. You can assign users to roles directly but that can become an operational nightmare on a large-scale system.

Personalization and other portal related user-based data is stored in the J2EE database.

I hope that this helps,

Judson

Show replies
Show replies
Former Member
‎08-09-2006 12:35 PM
0 Kudos

Hi Judson,

thanks for respond

Actually we do not want to store user data in ASD of the Portal users. Not all users should be stored within ASD and are not stored. In Portal and in ASD they have different user ID, so some mapping has to be done..

The SSO should be only possible for users, that have an user in ASD.

In other case they should still use form-based authentication, after the authentication with Kerberos fails cause of some kind "user do not exist in ASD"-error.

Thanks for help!

Karol

Ask a Question