Saqib,

Yes, if you use client certificates then you can logon to SAP ABAP AS using this certificate and the certificate will be mapped to a user. This has some implications however, since you will need to manage these certificates and you are not needing to do that now, and you will need to issue client certificates to users and make sure that each user uses same browser/pc when they logon, so no roaming will be possible, unless of course you use smart cards to store the client certificates. The solution I am suggesting does not have any of these implications because it will simply allow the user to enter their AD account and password, which is same that they use when they logon to Windows domain when in office.

To implement the AD userid+password authmethod, you need a Java stack and the installation of a login module in the java stack which handles Kerberos forms-based authentication (so that AD accounts and passwords can be used). Then, in ABAP stack you would configure the redirection so that when no SSO2 ticket is sent by browser, the ABAP stack redirects to the Java stack where the user is authenticated. After authenticaiton and the SSO2 ticket has been issued by Java stack, the user will be redirected back to the original app on ABAP stack and their SSO2 ticket will be decoded to know who they are.

I have helped many customers implement this approach. Your requirement is not uncommon.

Thanks,

Tim

Saqib,

The SNC authentication is only used when you logon from SAP GUI or SAP front end library, and is not effected or involved in browser authentication. I am therefore wondering why you are asking about SNC_LIB ? If you have SNC auth working then you can leave this as it is.

The solution I am proposing involves third-party product, which you can find described on SAP EcoHub at http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokeradapter

- You can evaluate this product if you are interested to see it working, or I can setup a web meeting and show you it working.

Thanks,

Tim