https://community.sap.com/t5/technology-q-a/microsoft-active-directory-integration/qaa-p/11120739#M4099412 <HTML><HEAD></HEAD><BODY><P>I am not aware of any way you can sync users and passwords between AD and a SAP ABAP System. However, you can sync the user data (e.g. job title, email address) using the LDAP connector.</P></BODY></HTML> Mon, 08 Jun 2015 11:55:09 GMT tim_alsop 2015-06-08T11:55:09Z https://community.sap.com/t5/technology-q-a/microsoft-active-directory-integration/qaq-p/11120733 <HTML><HEAD></HEAD><BODY><P><BR />Hi experts</P><P>We have two issue for our customer:</P><P></P><P>1-Integration of SAP User Administration into Microsoft Active Directory: Our customer wants to <SPAN class="hps">synchronize</SPAN> their SAP users and passwords with Microsoft Active Directory but they dont want to use Single Sign-on.</P><P></P><P>2-Creating and Synchronize Users in Active Directory from Employee Data Stored in SAP HR</P><P></P><P>We found two document related with this issue but their version is very old. Is there any new version of this document or we have to use different technology (for example Netweaver Identity Management)?</P><P></P><P>Related links are:</P><P></P><P><A __default_attr="3434" __jive_macro_name="document" class="jive_macro_document jive_macro" data-orig-content="Integration of SAP Central User Administration into Microsoft Active Directory" href="https://community.sap.com/" modifiedtitle="true" title="Integration of SAP Central User Administration into Microsoft Active Directory"></A></P><P><A __default_attr="3431" __jive_macro_name="document" class="jive_macro_document jive_macro" data-orig-content="Creating Users in Active Directory from Employee Data Stored in SAP HR.pdf" href="https://community.sap.com/" modifiedtitle="true" title="Creating Users in Active Directory from Employee Data Stored in SAP HR.pdf"></A></P><P></P><P>Best Regards....</P></BODY></HTML> Sat, 06 Jun 2015 22:44:44 GMT https://community.sap.com/t5/technology-q-a/microsoft-active-directory-integration/qaq-p/11120733 former_member397702 2015-06-06T22:44:44Z https://community.sap.com/t5/technology-q-a/microsoft-active-directory-integration/qaa-p/11120734#M4099407 <HTML><HEAD></HEAD><BODY><P>Hello Hande,</P><P></P><P>Well you reference old documents, but you don't mention what version of IDM is to be used.&nbsp; If it's 7.2, then the documents should be fairly relevant, but you might need to make a few tweaks.&nbsp; If it's version 8, then it's anybody's game.&nbsp; Documentation is coming at a slow, but steady pace.&nbsp; Your best bet in that case is to do your research and ask questions here.</P><P></P><P>Password management is pretty much the same.&nbsp; I'd suggest looking at <A __default_attr="17112" __jive_macro_name="document" class="jive_macro_document jive_macro" data-orig-content="SAP NetWeaver Identity Management Password Hook Configuration Guide" href="https://community.sap.com/"></A> and <A __default_attr="17111" __jive_macro_name="document" class="jive_macro_document jive_macro" data-orig-content="SAP NetWeaver Identity Management Identity Center Implementation Guide - Self-Service Password Reset" href="https://community.sap.com/" modifiedtitle="true" title="SAP NetWeaver Identity Management Identity Center Implementation Guide - Self-Service Password Reset "></A>for the best information.</P><P></P><P>Finally, from a consulting point of view, I would want to understand why they don't want to use SSO (Several excellent reasons exist, but it's good to understand) SSO in some way, shape, or form should be a part of any long range Identity and Access Management plan.</P><P></P><P>Hope this helps!</P><P></P><P>Cheers,</P><P>Matt</P></BODY></HTML> Sun, 07 Jun 2015 01:49:55 GMT https://community.sap.com/t5/technology-q-a/microsoft-active-directory-integration/qaa-p/11120734#M4099407 former_member2987 2015-06-07T01:49:55Z https://community.sap.com/t5/technology-q-a/microsoft-active-directory-integration/qaa-p/11120735#M4099408 <HTML><HEAD></HEAD><BODY><P>Regarding 1. You can use an authentication product so that when a user logs onto the SAP system the SAP system (via the authentication product) is able to check the users password against Active Directory. This is much more secure than using the password hook to synchronise passwords between systems. If you want to you can configure some users to get SSO, whilst others are required to enter their Active Directory password each time they logon. Or you might want all users to enter AD credentials.</P><P></P><P>Thanks</P><P>Tim</P></BODY></HTML> Sun, 07 Jun 2015 06:16:38 GMT https://community.sap.com/t5/technology-q-a/microsoft-active-directory-integration/qaa-p/11120735#M4099408 tim_alsop 2015-06-07T06:16:38Z https://community.sap.com/t5/technology-q-a/microsoft-active-directory-integration/qaa-p/11120736#M4099409 <HTML><HEAD></HEAD><BODY><P>Hi Matt</P><P>Thanks for your reply.</P><P>Netweaver IDentity Management is not used. We are trying to integrate AD an ERP directly.</P><P>They don't want to use SSO because most of users use same terminal server or pc.</P><P>Best Regards...</P><P>Hande</P></BODY></HTML> Mon, 08 Jun 2015 07:47:46 GMT https://community.sap.com/t5/technology-q-a/microsoft-active-directory-integration/qaa-p/11120736#M4099409 former_member397702 2015-06-08T07:47:46Z https://community.sap.com/t5/technology-q-a/microsoft-active-directory-integration/qaa-p/11120737#M4099410 <HTML><HEAD></HEAD><BODY><P>To solve this you need to use a product that can authenticate users on shared workstations using AD credentials. See my answer left on Jun 7th.</P><P></P><P>Thanks</P><P>Tim</P></BODY></HTML> Mon, 08 Jun 2015 07:56:11 GMT https://community.sap.com/t5/technology-q-a/microsoft-active-directory-integration/qaa-p/11120737#M4099410 tim_alsop 2015-06-08T07:56:11Z https://community.sap.com/t5/technology-q-a/microsoft-active-directory-integration/qaa-p/11120738#M4099411 <HTML><HEAD></HEAD><BODY><P>Hi Tim</P><P>Many thanks for your reply. But i want to know is there any way to <SPAN class="hps">synchronize users, passwords and <SPAN class="hps">synchronize personel data </SPAN>without using any product.</SPAN></P><P><SPAN class="hps">Best Regards...</SPAN></P><P><SPAN class="hps">Hande </SPAN></P></BODY></HTML> Mon, 08 Jun 2015 10:33:07 GMT https://community.sap.com/t5/technology-q-a/microsoft-active-directory-integration/qaa-p/11120738#M4099411 former_member397702 2015-06-08T10:33:07Z https://community.sap.com/t5/technology-q-a/microsoft-active-directory-integration/qaa-p/11120739#M4099412 <HTML><HEAD></HEAD><BODY><P>I am not aware of any way you can sync users and passwords between AD and a SAP ABAP System. However, you can sync the user data (e.g. job title, email address) using the LDAP connector.</P></BODY></HTML> Mon, 08 Jun 2015 11:55:09 GMT https://community.sap.com/t5/technology-q-a/microsoft-active-directory-integration/qaa-p/11120739#M4099412 tim_alsop 2015-06-08T11:55:09Z https://community.sap.com/t5/technology-q-a/microsoft-active-directory-integration/qaa-p/11120740#M4099413 <HTML><HEAD></HEAD><BODY><P>Hande,</P><P></P><P>Thanks for letting us know.&nbsp; You might want to move this conversation to another forum then, unless you are speaking of SAP SSO.</P><P></P><P>Matt</P></BODY></HTML> Mon, 08 Jun 2015 14:18:10 GMT https://community.sap.com/t5/technology-q-a/microsoft-active-directory-integration/qaa-p/11120740#M4099413 former_member2987 2015-06-08T14:18:10Z https://community.sap.com/t5/technology-q-a/microsoft-active-directory-integration/qaa-p/11120741#M4099414 <HTML><HEAD></HEAD><BODY><P>Hi Hande,</P><P></P><P>The Kerberos SNC authentication options available with the product SAP Single Sign-On are documented on <A href="http://help.sap.com/saphelp_nwsso20/helpdata/en/8b/5500efc24147758cbf918cd829bbdb/frameset.htm" target="_blank">help.sap.com</A> .</P><P></P><P>I'm pretty sure there will be a mode that fits to your scenario. </P><P></P><P>Best regards,</P><P>Christian </P></BODY></HTML> Thu, 18 Jun 2015 12:01:09 GMT https://community.sap.com/t5/technology-q-a/microsoft-active-directory-integration/qaa-p/11120741#M4099414 Christian_Cohrs1 2015-06-18T12:01:09Z https://community.sap.com/t5/technology-q-a/microsoft-active-directory-integration/qaa-p/11120742#M4099415 <HTML><HEAD></HEAD><BODY><P>Hi Hande,</P><P></P><P>I can imagine implementing a password hook on your domain controller: <A href="https://msdn.microsoft.com/en-us/library/ms721876%28v=vs.85%29.aspx?f=255&amp;MSPPError=-2147217396" title="https://msdn.microsoft.com/en-us/library/ms721876%28v=vs.85%29.aspx?f=255&amp;MSPPError=-2147217396">PasswordChangeNotify callback function (Windows)</A></P><P>which would then update the SAP password for a user on all defined SAP instances via RFC call to BAPI_USER_CHANGE.</P><P></P><P>All the above would require some 200-300 lines of code, however from a security standpoint, I strongly discourage you of implementing that. Your active directory passwords are safe as long as you keep them on the domain controller and you do not touch them. Any attempt like above leads to compromise of user credentials.</P><P></P><P>Either keep the authentication separate or go for SSO. Do not synchronize the passwords.</P><P></P><P>Hynek</P></BODY></HTML> Tue, 21 Jul 2015 20:33:22 GMT https://community.sap.com/t5/technology-q-a/microsoft-active-directory-integration/qaa-p/11120742#M4099415 hynek_petrak 2015-07-21T20:33:22Z