topic Re: SAP Using LDAP Authentication [really confusing] in Application Development and Automation Discussions

SAP Using LDAP Authentication [really confusing]

Former Member — Mon, 01 Mar 2010 02:31:16 GMT

Dear gurus,

I have a scenario that user in ABAP system should match those user in Active Directory (I don't know, maybe via mapping?)

That is, windows user logon to their terminal, and then login to SAP using SAP GUI. So, the basic idea is how to integrate SAP into active directory.

I've read the net, just to get some confusions.

The question I want to clarify is:

- In SAPINST, there's a menu regarding LDAP in "software life cycle". Must I installed that if I want to use LDAP authentication?

- Must I install SAP Enterprise Portal?

- Are Single Sign On and LDAP Authentication the same?

- Is there tutorial regarding this integration?

Thanks real much for your help.

Best Regards,

Re: SAP Using LDAP Authentication [really confusing]

Former Member — Mon, 01 Mar 2010 03:29:23 GMT

Hello Bobby

I think your idea is to deploy GUI SSO for AD domain users without typing ID/password to access SAP as long as they already log on their PC with AD domain ID.

If your SAP instances run on windows hosts, then it's much easier to make it happen by just a few steps: find necessary crypto library in SWDC and load it, define parameters to activate SNC for AS ABAP, configure SNC tag in SU01 and logon pad. Here's the help link: http://help.sap.com/saphelp_nw70ehp1/helpdata/en/0d/482bb8013243f1b6e2439091e3022f/content.htm

But if your SAP runs on UNIX type host, you'll have to customize and generate AD kerberos library and load it by parameter snc/gssapi_lib, and it's OS dependent.

Regards,

Effan

Re: SAP Using LDAP Authentication [really confusing]

tim_alsop — Mon, 01 Mar 2010 08:10:30 GMT


> The question I want to clarify is:
> - In SAPINST, there's a menu regarding LDAP in "software life cycle". Must I installed that if I want to use LDAP authentication?
No, this option is related to how the list of systems a user can logon to found in SAP logon is determined. It is not related to authentication of users.
> - Must I install SAP Enterprise Portal?
No, you can use SNC to support Active Directory authentication with SAP GUI
> - Are Single Sign On and LDAP Authentication the same?
No, LDAP is a protocol which is used to access an x.500 directory, and when using LDAP to authenticate, typically a password is required. The SAP GUI product does not support LDAP user authenticaiton.
> - Is there tutorial regarding this integration? 
It depends whether your SAP system is on UNIX or Windows. Check the response from Effan for default of Windows.
> 
> Thanks real much for your help.
> Best Regards,

Re: SAP Using LDAP Authentication [really confusing]

tim_alsop — Mon, 01 Mar 2010 08:13:15 GMT


> But if your SAP runs on UNIX type host, you'll have to customize and generate AD kerberos library and load it by parameter snc/gssapi_lib, and it's OS dependent.
Actually, if SAP is on UNIX or Linux, you still need an SNC library, but not available from SAP. The best place to find one is from a SAP partner. There are a few to choose from and they can be found by searching in http://ecohub.sdn.sap.com One example is at http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokersecureclient
> 
> Regards,
> Effan

Re: SAP Using LDAP Authentication [really confusing]

Former Member — Mon, 01 Mar 2010 14:18:34 GMT

Thanks for your tip, Tim.

Actually myself is looking to configure SNC for SAP on AS/400 host, still working on customizing the kerberos library on AD for AS/400...... Like you indicated, customized one not officially supported by SAP, for some reason we won't consider bringing other chargeable 3rd party security product.

Thanks,

Re: SAP Using LDAP Authentication [really confusing]

tim_alsop — Mon, 01 Mar 2010 14:23:34 GMT

Effan,

OS/400 is often supported via PASE environment, since a PASE environment can run native AIX libraries compiled on an RS/6000

If your company is not able to pay for software, they need to be aware of the consequences of "build your own" since this will mean if users cannot logon you will not be able to get support from anybody, and will need to ensure that the expertise is available within your company to fix any issues you may find when running in production. Also, perhaps your company is not aware of the costs of buying third party software to meet your needs, and is assuming it is expensive ?

Thanks,

Tim

Re: SAP Using LDAP Authentication [really confusing]

Former Member — Mon, 01 Mar 2010 18:08:48 GMT

Gurus, thanks for your answers.

I'm still reading the link you gave me earlier.

My principal wants that upon user logs on to Windows, user must type username and password in sapgui.

But the password should be exactly the same like in the active directory for that user.

Is it possible?

Thanks for your help.

Best Regards,

Re: SAP Using LDAP Authentication [really confusing]

tim_alsop — Mon, 01 Mar 2010 18:12:10 GMT

Bobby,

Yes, that is possible, but not using SNC library from SAP (for SAP GUI). The SNC library form SAP and many vendors is just offering SSO, so user is not prompted for password. One company that I know very well, has a feature in thier client software which does exactly what you ask for. It shows a signon screen for user and they enter their Active Directory account and password, and this is used to get Kerberos tickets from domain which are then used to log the user onto SAP. In this configuration, the Kerberos ticket isused during workstation initial login is ignored and not used.

Thanks,

Tim

Re: SAP Using LDAP Authentication [really confusing]

Former Member — Tue, 02 Mar 2010 03:48:12 GMT

Effan,

I'm still confused about the help you gave me.

Just what's the first step to do?

And I still don't get the concept behind it.

It means that when user logon using their AD account to Windows, then when user logon to SAP System, they will not be prompted any user/password?

And just how secure is that, for example, if user logout the SAP but not lock their PC?

And if it depends on the SAP GUI for SNC Name, user can't work from any other terminal except theirs?

Thanks for your help.

Best Regards,

Re: SAP Using LDAP Authentication [really confusing]

tim_alsop — Tue, 02 Mar 2010 07:57:17 GMT

Bobby,

I wanted to help you with some of your questions about 'concepts'

When a user logs onto a Windows domain using their AD account, the domain controller issues Kerberos tickets which are cached on the workstation. If you were to look into this cache you would see an initial ticket for the user who is logged on and this would have a principal name like user@DOMAIN (user = AD account name used to logon to windows, DOMAIN = upper case name of the AD domain they logged onto). In SAP SNC terminology, this principal name in the cache is referred to as the SNC name.

When a user logs onto SAP using SAP GUI with SNC, the SNC library will use the Kerberos tickets to authenticate the user to SAP, so the user does not need to re-authenticate. Yes, this means that if the user walks away from the computer somebody else can logon as the user - one of hte reasons why we added the feature mentioned earlier to our product, so that the AD authentication can be made to happen when user logs onto SAP, not using the credentials already available from initial workstaiton logon. Some customers prefer this, but some are happy with SSO and they set a policy to make sure that users don't leave their workstations unattended.

I hope this helps you with some of the questions about concepts etc.

Regards,

Tim

Re: SAP Using LDAP Authentication [really confusing]

Former Member — Tue, 02 Mar 2010 13:57:35 GMT

Please refer to Tim's reply for concept.

> Just what's the first step to do?

Start with those parameters mentioned in the online help I provided earlier.

> It means that when user logon using their AD account to Windows, then when user logon to SAP System, they will not be prompted any user/password?

Correct.

> And just how secure is that, for example, if user logout the SAP but not lock their PC?

This SSO is based on secured logon in trusted domain users, so users need to be educated by basic security concept.

> And if it depends on the SAP GUI for SNC Name, user can't work from any other terminal except theirs?

One of the parameters, snc/accept_insecure_gui, determines whether your SAP instance accepts insecure accesses which includes logging on terminals outside of company domain even though with valid ID/password. 0 is reject and 1 is accept.

Regards,

Effan

Re: SAP Using LDAP Authentication [really confusing]

tim_alsop — Tue, 02 Mar 2010 14:29:47 GMT


> Please refer to Tim's reply for concept.
> 
> > It means that when user logon using their AD account to Windows, then when user logon to SAP System, they will not be prompted any user/password? 
> Correct.
This is ONLY correct if you are using the SNC library provided by SAP. As I already mentioned, one of the partner products has a feature to allow user to be asked for AD account and password during login.
> 
> > And if it depends on the SAP GUI for SNC Name, user can't work from any other terminal except theirs?
> One of the parameters, snc/accept_insecure_gui, determines whether your SAP instance accepts insecure accesses which includes logging on terminals outside of company domain even though with valid ID/password. 0 is reject and 1 is accept.
This is a bit missleading. The snc/accept_inscure_gui only allows a user to logon if they have an SAP stored userid and password. If the user needs to logon using their AD account and password, and their SAP password is deactivated (it is good security to do this to avoid any back doors when SNC is used) then this parameter will not help. However, the feature I mentioned above in my other comment will help...
Also, I think the question was related to working from another terminal, not whether user can logon using SAP password or not. To be sure the possibilities are clear, I wanted to mention that if a user logs on to the domain from any worksation which is joined to the domain, then their domain credentials will be issued by AD during that logon and they can then be authenticated to SAP. There is nothing which ties a user to an actual workstation when using this approach.
> 
> Regards,
> Effan

Re: SAP Using LDAP Authentication [really confusing]

Former Member — Wed, 03 Mar 2010 02:25:42 GMT

Thanks gurus for the explanation.

I think I've grasp the sso concept then.

We're using kerberos. So I must download first the SNC library for that particular one, right?

Mr. Tim, if you don't mind, could you elaborate me about this partner product you mentioned to me earlier?

I think our principal will go for that one, as means of security.

Thanks for your help.

Best Regards,

Re: SAP Using LDAP Authentication [really confusing]

tim_alsop — Wed, 03 Mar 2010 08:10:25 GMT


> Thanks gurus for the explanation.
> I think I've grasp the sso concept then. 
Thats good to know, glad to be of assistance.
> 
> We're using kerberos. So I must download first the SNC library for that particular one, right?
You need an SNC library for SAP servers and also for workstations that implements Kerberos, and one that is SAP certified.
> 
> Mr. Tim, if you don't mind, could you elaborate me about this partner product you mentioned to me earlier?
If you contact the partner they will give you the help you need. There is a limit to what can be described in this forum regarding non-SAP products.
> I think our principal will go for that one, as means of security.
Sounds good.
> 
> Thanks for your help.
> Best Regards,

Re: SAP Using LDAP Authentication [really confusing]

Former Member — Wed, 03 Mar 2010 09:05:50 GMT

Sir, right now our server is not join domain.

Right now we're starting SAP as local user administrator.

According to SAP HELP:

snc/identity/as = p:SAPService<SID>@<KERBEROS_REALM_NAME>

where <KERBEROS_REALM_NAME> is the Kerberos realm that the SAPService<SID> user belongs to.

Should we create this user: SAPService<SID> in the domain?

And with administrator right?

Thanks for your help.

Best Regards,

Re: SAP Using LDAP Authentication [really confusing]

tim_alsop — Wed, 03 Mar 2010 09:10:24 GMT

Hi,

There is no Kebreors realm if the server is not joined to a domain.

The SAP SNC library for Windows does not work if the server is not joined to the domain. If you prefer not to join the Windows server to the domain, then you can consider the SNC library from a SAP partner that supports SAP on Windows instead.

Thanks,

Tim

Re: SAP Using LDAP Authentication [really confusing]

Former Member — Wed, 03 Mar 2010 09:43:24 GMT

Mr. Tim,

At the beginning of SAP installation, we choose that server is not join domain.

Now we want to join the server in the domain.

Is it possible?

I mean, the user and group is not created in the corresponding domain.

I see in notes that it is only possible by system copy.

Can't I just create SAPService<SID> user in the domain?

Thanks for your help.

Best Regards,

Re: SAP Using LDAP Authentication [really confusing]

tim_alsop — Wed, 03 Mar 2010 09:47:24 GMT

Hi,

If you are using the SAP SNC library on Windows server, the server MUST be joined to the domain. This is because this SNC library uses the Kerberos functionality included in Windows operating system, which will not function unless Windows operating system is a domain member.

If you do not want to go through the hard work to change Windows to be a domain member, e.g. system copy, then your only option is to use the SAP SNC products from the SAP partner that I mentioned earlier.

Thanks,

Tim

Re: SAP Using LDAP Authentication [really confusing]

Former Member — Wed, 03 Mar 2010 09:54:54 GMT

So, it can't be achieved by simply add SAP user with global admin right in the domain we want to join?

Best Regards,

Re: SAP Using LDAP Authentication [really confusing]

tim_alsop — Wed, 03 Mar 2010 09:56:41 GMT

No, because Windows does not know how to communicate with the domain unless it is a domain member.