Password sync between ECC and Active Directory...

Former Member · ‎12-16-2008

Hi,

All the user information is stored in active directory.

At our client,the user id in the active directory and ECC is the same.

But the passwords are not the same.

The user might change the password in ECC.

So,is there a tool that can be used to sync the passwords in the active directory and ECC?

The user should not be able to change the password in ECC.It should use the same password as in the active directory.

Does anyone know of any tool or mechanism for this purpose?

Thanks,

Sudha.

Former Member · ‎12-16-2008

No, and it is a bad idea. Most discussions about this end up in Single-Sign-On solutions.

Please search the forum here for the word "synchonization" and you will find a number of discussions about this and what the risks are and what the typical causes are.

Some valid reasons do how ever exist as well, but there are better ways of doing it than synchronizing (attempts).

See for example , although I found the second answer better than the first one which the OP decided to mark as "solved".

Cheers,

Julius

tim_alsop · ‎12-16-2008

Hi,

As Julius has already mentioned, the use of password sync is not recommended, and not secure. Instead, the best way to acheive what you want is to use the credentials issued by Active Directory when a user logs onto their workstation, or uses software installed on their workstation to authenticate with Active Directory. These credentials can be used to authenticate the user to SAP via SAP GUI or Web browser so the user does not need to remember SAP password as well as AD password. When this kind of technology is implemented the SAP password is normally deactivated becasue it is not required anymore.

Thanks,

Tim

Former Member · ‎12-16-2008

> When this kind of technology is implemented the SAP password is normally deactivated becasue it is not required anymore.

This is also advisable, unless the user can reactivate it in a safe way again, or a trusted admin resets it.

In addition to the fact that a non-deactivated password could be used without the user noticing it ( => hence deactivated, and the possibility for the user to delete their own password to protect themselves...) I regularly see requests for such features to be possible where the motives are questionable in the various developer forums...

From today =>

It is best in my opinion that such a mechanism is not only not supported, but also not possible.

Cheers,

Julius

tim_alsop · ‎12-16-2008

>


> > When this kind of technology is implemented the SAP password is normally deactivated becasue it is not required anymore.
> This is also advisable, unless the user can reactivate it in a safe way again, or a trusted admin resets it.

Julius, I am not clear what you are suggesting - surely, if SNC or SSO2 is used to authenticate the user and the user is using password, biometrics, smart cards or some other form of authentication external to SAP and does not need a password to be maintained by SAP anymore, it is clearly secure and advisable to deactivate the SAP password ? If not, then the SAP password will expire and even though they logon using external authentication method the SAP software will notify them that their password has expired This passwrod expiry will confuse them because it refers to a password which is not being used to logon.

Thanks,

Tim

Former Member · ‎12-16-2008

Yes, that is what I meant (not sure where the confusion came from?).

It is best to deactivate the password, thereby preventing password based logons when other authentication mechanisms are used. There are various ways of doing this, but I guess that we are drifting off topic now for the moment..

Cheers,

Julius

tim_alsop · ‎12-17-2008

>


> Yes, that is what I meant (not sure where the confusion came from?).

Julius,

Thanks. I think I missread your response. Anyway, we are in agreement on this and best not to go off topic. Hopefully s a understands the security issues and now knows what is possible.

Take care,

Tim