You stated:

"Could you explain me the simpliest way to synchronize user's password. It means that sap user's will type the same password as the Windows one and when users change their windows password changes will automaticaly be replicated on R/3."

I believe you misunderstand how SSO works with the Windows SAPGUI. There is no password syncronization. When the user logs in to their Windows workstation (with their correct password), they will receive a kerberos ticket from AD. This ticket is then presented to the SAP application server when using SAPGUI. If it is valid and the application server is setup correctly for SNC, AND if the user record in SAP is associated with the correct SNC kerberos principle, then the user is either:

Logged on immediately (without entering any password) if they are only valid in 1 client

Given a popup box and asked to choose which client to log in to if they are valid in >1 client (again without entering a password) -- not having to enter the password again is of course the whole point to SSO.

Part of setting up SSO will enable a new tab named SNC in SU01, and it is there that the SAP userid is associated with the kerberos principle. I am sure if you search this forum there are many posts about setting up SNC SSO on Windows.

Again, to the best of my knowledge there is NOTHING which will synchronize passwords between AD and SAP. There is an LDAP connector for SAP, but that is used to simply pre-populate the users in SAP if they already exist in AD with certain criteria. I believe SAP adds some schema information to AD to flag whether a user is also an SAP user, but that whole topic is not needed for SSO. In any case, since the AD passwords are one-way hashed, there would be no way to copy them into SAP with SAP's hashing mechanism.

Brian