>

> No, this is not possible with Kerberos. However, vendors using a PKI to implement SSO, can be a little bit more flexible and have implemented the functionality of encryption WITH a password. You'll have to contact me off line for pointers, though.

This is not correct. Our product uses Kerberos and has this exact functionality, e.g. we are able to authenticate the user when they logon to SAP using Active Directory userid and password via Kerberos protocol, and then use these credentials to authenticate the user to the SAP system, instead of using the Kerberos credentials issued during initial workstation domain logon.

This is NOT a feature which is specific to using a PKI. You only mention this because your product requires a PKI.

>

> @Tim: Unless the OP corrects me, the requirement was for Kerberos with a password (perhaps the OP can explain why he needs this exactly, because this in itself does not make much sense).
> 
> That's why I am thinking he meant encryption with a password (I think you were also thinking this in your first reply).
> 
> In the post above, you're referring to the Windows password that must be entered during Windows Logon. This has nothing to do with SAP.

Yes, he wants to use Kerberos with a password. This was/is clear to me, and I was not thinking of anything related to encryption with a password, since Kerberos does not encrypt using a password, but uses symmetric encryption keys which are derived from a password + other information. The requirement stated does not concern this subject, so please lets not discuss something that is not relavent to this thread.

The original question was related to using the Active Directory user accounts password to logon to SAP, by making sure that user is prompted for their userid and password when they logon to SAP, instead of using the credentials already issued during the initial workstation logon. This is how I understood the requirement, and is why I mentioned that partner products are required to meet this exact need.

Thanks,

Tim