We have a need to synchronize our users Windows passwords (AD) to our SAP systems (ECC 6.0, BW 3.5, and SCM 5.0). We do not use CUA and currently do not use a Portal and are not looking at doing SSO. We simply want to have one repository (AD) that will manage passwords for our Windows apps as well as our SAP systems. So far, we have not found a way to do this. SAP Note 603208 says this kind of synchronizing is not possible due to encryptions, among other things. However, we did find a white paper that stated the following:
<i>The Management Agents delivered with MIIS generally support password management: <b>they can take a password from some source (either from a user password change from the Windows interface, or from a self-service web-based password reset interface) and can set the same password in the various connected systems</b>. The Management Agent developed by Oxford is no exception. To change a password in an R/3 System the Susr_User_Change_Password_Rfc function can be used, but this is only possible if the old password is known and the SAP system allows the password change for this user. In cases where the old password is not known (for example the setting of an initial password) the password can be reset using the BAPI_User_change function.</i>~snip
Does anyone have any information on how we can achieve the password synchronization between Active Directory and Abap-based SAP Systems?
I very much appreciate your time and help.
You can achieve this using "common authentication". Since Active Directory uses Kerberos, if you allow your SAP systems to support Kerberos authentication as well, then you will be able to logon to Windows workstation, and use the Kerberos credentials issued by Active Directory during this logon to log the user onto SAP.
This is common, and easy to acheive. You need to use the SNC capability which is provided in SAP GUI and also in SAP ABAP engine, and you also need a GSS-API library for both workstations and for the SAP servers that implements the Kerberos protocol. If your SAP server is running on Windows Servers then you can get this GSS-API library from SAP, but if (like many companies) you are running SAP ECC, BW, SCM etc. on UNIX or Linux servers then you need to license a third-party product which provides the GSS-API library etc. I represent a vendor (CyberSafe) that provides this exact product, but you can also find other vendors by looking on SAP partner website, under SNC certified products list. If you want to find out more about our product, please ask me offline by getting my email address from my business card.
I hope this helps. Of course, if there are any questions for me related to this which are appropriate for public viewing then please ask them via this forum instead of via email.
If we donot wish to implement SSO but the user needs to enter the AD credentials - Id and password in the SAP Gui Login Screen - even then we need to use a GSS-API library?
Does your reply above takes care of the scenerio wherein we donot implement SSO and the user eneter id and password (same as AD)?
Yes, you can implement AD authentication without SSO using SNC to secure the communication between SAP GUI and SAP ABAP. When the user logs on using SAP GUI, they will see a SignOn creen asking them to enter AD account and password, this account and password is then used to authenticate the user to AD domain using the Kerberos protocol. The credentials from this authentication are then used to authenticate the user to SAP ABAP - no password sync is required and user gets a non-SSO experience. Also, use of SNC means the session between SAP GUI and SAP ABAP is encrypted for added security.
Hmmm... I am not aware that this is possible within the SAPGUI. You cannot add custom modules to the SAPGUI logon routines. You can only use the SNC interface to authenticate and any non-SAP code will be executed AFTER the authentication has taken place.
The user can easily hobble this. An easy example is to change your logon language and hit enter -> the license message appears before the exits are executed..
Is this a new feature available that SAPGUI logon can be configured that an LDAP bind returns a "sufficient" authentication?
What I described in my last post is possible using a third party SAP certified product, available from my company, and I was not suggesting that it could be implemented using custom modules to the SAP GUI logon routine. I am also not suggesting that LDAP is required, since LDAP is not supported in SAP GUI for user authentication.
@SALPG ADMIN - I hope you are clear now that the functionality you requrie is not standard functionality included in SAP GUI and requries a third party product, or requires you to find a way to sync passwords, but as others have mentioned many times on this forum, password sync is not easy and causes other issues, so should be avoided. It is better to consider a more secure way to authenticate users when the logon to SAP.