Brian,

I hope you are already aware that if you want to do this you need to take advantage of the SNC interface included in SAP GUI and in SAP R/3 ABAP AS. This SNC interface is used to authenticate the user and requires an SNC library on both ends, e.g. on workstation where SAP GUI is installed and also on ABAP AS servers. The SNC library which uses Kerberos (the protocol used by Active Directory when user logs onto workstation) is provided by SAP if you are running SAP on Windows Servers, otherwise you need to buy a product from a SAP partner instead which will include the SNC libraries you need. You can find list of the partners invovled at http://www.sap.com/eapcatalog - search for keywords SNC or Kerberos to get a list.

Regarding the need to support shared workstations. This is a topic which I am very familiar with as I help SAP customers setup my companies products, to support shared workstations on a regular basis. The solutiion is provided such that a user logs onto a workstation (e.g. local user with limited rights to worstation to change anything) and when somebody logs onto SAP they are given a SignOn screen and they enter an Active Directory account and the password for this account - if correct they are authenticated to the SAP system. When they have finished they log off SAP using normal method and next person using the worstation can do the same without logging off Windows.

The scenario you mentioned where a user is logged on using SAP GUI with SSO and then another AD user (not same as first) wants to logon using the same Windows session - this is not technically possible since SAP decided when they implemented SNC in SAP GUI to make it wor in SSO mode only. It is possible to display a signon screen for the second SAP GUI session, but the same userid that was used the first time must be used, so the signon screen only allows them to re-enter their password.

I hope this helps.

Thanks,

Tim