Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Active Directory authentication WITHOUT SSO?

randall_king2
Explorer

on ‎2008 Oct 07 8:21 PM

0 Likes
1,616

Everything I have found relating to Active Directory is based around getting SSO to work. Isn't there a halfway point that doesn't require touching every user and deploying complex config?

In simple terms I am looking to do this. I want to be able to set up a connection between the SAP application (not the GUI) and Active Directory, and have the user authentication be pulled from AD. We have dozens of systems and clients, and it would be really nice if we could set it up so that user SALES1234 (who also has a OFFICE\SALES1234 NT account), uses the same password in all systems.

Is there something that can be set up using the LDAP connector on the systems to either pull the passwords down to SAP, or authenticate against AD on the fly? It's not true SSO, but having a unified password strategy is a huge leap forward without having to invest in a huge project to touch users that are spread out globally.

Help? Any ideas?

Oh, I don't know much about AD, except ours uses Kerberos for authentication. Our systems are Solaris based.

Thanks in advance!

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (4)

Answers (4)

hofmann
Active Contributor
‎2009 Jan 16 2:09 PM
0 Likes

Hi,

MS AD is, if you just look at the core, an LDAP Server. The UME supports LDAP.

SAP Help: http://help.sap.com/saphelp_nw04/helpdata/EN/eb/00954081efb90ee10000000a155106/frameset.htm

For getting access to the groups and user information in the MS AD LDAP, you'll need to know the exact location inside the LDAP. It is something like cn=users,ou=company,ou=com. You'll have to get this information from your AD administrator.

br,

Tobias

Show replies
Show replies
dan_pfingsten2
Participant
‎2009 May 14 7:47 PM
0 Likes

Was there a resolution to the question? is it possible to integrate AD into SAP without using SSO?

Former Member
‎2009 Jan 15 7:33 PM
0 Likes

Hi,

Why cant you syncronize users with the help of RSLDAPSYNC_USER report from your AD to SAP including passowrds but you need to do some mapping in ldapmap tcode.

Thanks,

Kiran.

Show replies
Show replies
Former Member
‎2008 Oct 09 6:35 PM
0 Likes

I don't think you'll find any way to do what you're asking for without SSO. And it's not hard to set up (in Windows, not sure about any other OS).

Show replies
Show replies
Former Member
‎2008 Oct 08 7:51 AM
0 Likes

Hello Randall,

I did not understand the requirement very clearly but this can be done using Portal.

In our landscape, portal servers have 2 URLs each, one for Kerberos authentication and the other without Kerberos.

The second URL which is without Kerberos, lets users authenticate themselves by entering their AD login credentials.

If this suits your scenario too, then create a URL alias in the DNS.

Regards,

Ritu

Show replies
Show replies
randall_king2
Explorer
‎2008 Oct 08 1:08 PM
0 Likes

Take portal out of the equation. I am talking about SAPGUI users and the ABAP side of the system. Bascially I want to see if there is a way to either sync passwords with an AD back end, or use something in the LDAP connector to perform the password authentication. Security roles would still reside inside of SAP, I am talking only about the password authentication. I have systems that range from an old BW3.1 system to a new CRM 7.0 system. All of them are on at least a 6.20 kernel, and they all have the LDAP connector. It's just not being used.

Former Member
‎2009 Jan 13 5:01 PM
0 Likes

Hi Randall,

I have a similar requirement i am trying to prototype. Please let me know if you have found a soultion to authenticate against AD without using SSO. Any guidance is appreciated.

Thanks

Pavan

Ask a Question