Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SAP Using LDAP Authentication [really confusing]

Former Member
0 Kudos

Dear gurus,

I have a scenario that user in ABAP system should match those user in Active Directory (I don't know, maybe via mapping?)

That is, windows user logon to their terminal, and then login to SAP using SAP GUI. So, the basic idea is how to integrate SAP into active directory.

I've read the net, just to get some confusions.

The question I want to clarify is:

- In SAPINST, there's a menu regarding LDAP in "software life cycle". Must I installed that if I want to use LDAP authentication?

- Must I install SAP Enterprise Portal?

- Are Single Sign On and LDAP Authentication the same?

- Is there tutorial regarding this integration?

Thanks real much for your help.

Best Regards,

36 REPLIES 36

Former Member
0 Kudos

Hello Bobby

I think your idea is to deploy GUI SSO for AD domain users without typing ID/password to access SAP as long as they already log on their PC with AD domain ID.

If your SAP instances run on windows hosts, then it's much easier to make it happen by just a few steps: find necessary crypto library in SWDC and load it, define parameters to activate SNC for AS ABAP, configure SNC tag in SU01 and logon pad. Here's the help link: http://help.sap.com/saphelp_nw70ehp1/helpdata/en/0d/482bb8013243f1b6e2439091e3022f/content.htm

But if your SAP runs on UNIX type host, you'll have to customize and generate AD kerberos library and load it by parameter snc/gssapi_lib, and it's OS dependent.

Regards,

Effan

0 Kudos

>

> But if your SAP runs on UNIX type host, you'll have to customize and generate AD kerberos library and load it by parameter snc/gssapi_lib, and it's OS dependent.

Actually, if SAP is on UNIX or Linux, you still need an SNC library, but not available from SAP. The best place to find one is from a SAP partner. There are a few to choose from and they can be found by searching in http://ecohub.sdn.sap.com One example is at http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokersecureclient

>

> Regards,

> Effan

0 Kudos

Thanks for your tip, Tim.

Actually myself is looking to configure SNC for SAP on AS/400 host, still working on customizing the kerberos library on AD for AS/400...... Like you indicated, customized one not officially supported by SAP, for some reason we won't consider bringing other chargeable 3rd party security product.

Thanks,

0 Kudos

Effan,

OS/400 is often supported via PASE environment, since a PASE environment can run native AIX libraries compiled on an RS/6000

If your company is not able to pay for software, they need to be aware of the consequences of "build your own" since this will mean if users cannot logon you will not be able to get support from anybody, and will need to ensure that the expertise is available within your company to fix any issues you may find when running in production. Also, perhaps your company is not aware of the costs of buying third party software to meet your needs, and is assuming it is expensive ?

Thanks,

Tim

0 Kudos

Gurus, thanks for your answers.

I'm still reading the link you gave me earlier.

My principal wants that upon user logs on to Windows, user must type username and password in sapgui.

But the password should be exactly the same like in the active directory for that user.

Is it possible?

Thanks for your help.

Best Regards,

0 Kudos

Bobby,

Yes, that is possible, but not using SNC library from SAP (for SAP GUI). The SNC library form SAP and many vendors is just offering SSO, so user is not prompted for password. One company that I know very well, has a feature in thier client software which does exactly what you ask for. It shows a signon screen for user and they enter their Active Directory account and password, and this is used to get Kerberos tickets from domain which are then used to log the user onto SAP. In this configuration, the Kerberos ticket isused during workstation initial login is ignored and not used.

Thanks,

Tim

tim_alsop
Active Contributor
0 Kudos

>

> The question I want to clarify is:

> - In SAPINST, there's a menu regarding LDAP in "software life cycle". Must I installed that if I want to use LDAP authentication?

No, this option is related to how the list of systems a user can logon to found in SAP logon is determined. It is not related to authentication of users.

> - Must I install SAP Enterprise Portal?

No, you can use SNC to support Active Directory authentication with SAP GUI

> - Are Single Sign On and LDAP Authentication the same?

No, LDAP is a protocol which is used to access an x.500 directory, and when using LDAP to authenticate, typically a password is required. The SAP GUI product does not support LDAP user authenticaiton.

> - Is there tutorial regarding this integration?

It depends whether your SAP system is on UNIX or Windows. Check the response from Effan for default of Windows.

>

> Thanks real much for your help.

> Best Regards,

Former Member

Effan,

I'm still confused about the help you gave me.

Just what's the first step to do?

And I still don't get the concept behind it.

It means that when user logon using their AD account to Windows, then when user logon to SAP System, they will not be prompted any user/password?

And just how secure is that, for example, if user logout the SAP but not lock their PC?

And if it depends on the SAP GUI for SNC Name, user can't work from any other terminal except theirs?

Thanks for your help.

Best Regards,

0 Kudos

Bobby,

I wanted to help you with some of your questions about 'concepts'

When a user logs onto a Windows domain using their AD account, the domain controller issues Kerberos tickets which are cached on the workstation. If you were to look into this cache you would see an initial ticket for the user who is logged on and this would have a principal name like user@DOMAIN (user = AD account name used to logon to windows, DOMAIN = upper case name of the AD domain they logged onto). In SAP SNC terminology, this principal name in the cache is referred to as the SNC name.

When a user logs onto SAP using SAP GUI with SNC, the SNC library will use the Kerberos tickets to authenticate the user to SAP, so the user does not need to re-authenticate. Yes, this means that if the user walks away from the computer somebody else can logon as the user - one of hte reasons why we added the feature mentioned earlier to our product, so that the AD authentication can be made to happen when user logs onto SAP, not using the credentials already available from initial workstaiton logon. Some customers prefer this, but some are happy with SSO and they set a policy to make sure that users don't leave their workstations unattended.

I hope this helps you with some of the questions about concepts etc.

Regards,

Tim

0 Kudos

Please refer to Tim's reply for concept.

> Just what's the first step to do?

Start with those parameters mentioned in the online help I provided earlier.

> It means that when user logon using their AD account to Windows, then when user logon to SAP System, they will not be prompted any user/password?

Correct.

> And just how secure is that, for example, if user logout the SAP but not lock their PC?

This SSO is based on secured logon in trusted domain users, so users need to be educated by basic security concept.

> And if it depends on the SAP GUI for SNC Name, user can't work from any other terminal except theirs?

One of the parameters, snc/accept_insecure_gui, determines whether your SAP instance accepts insecure accesses which includes logging on terminals outside of company domain even though with valid ID/password. 0 is reject and 1 is accept.

Regards,

Effan

0 Kudos

>

> Please refer to Tim's reply for concept.

>

> > It means that when user logon using their AD account to Windows, then when user logon to SAP System, they will not be prompted any user/password?

> Correct.

This is ONLY correct if you are using the SNC library provided by SAP. As I already mentioned, one of the partner products has a feature to allow user to be asked for AD account and password during login.

>

> > And if it depends on the SAP GUI for SNC Name, user can't work from any other terminal except theirs?

> One of the parameters, snc/accept_insecure_gui, determines whether your SAP instance accepts insecure accesses which includes logging on terminals outside of company domain even though with valid ID/password. 0 is reject and 1 is accept.

This is a bit missleading. The snc/accept_inscure_gui only allows a user to logon if they have an SAP stored userid and password. If the user needs to logon using their AD account and password, and their SAP password is deactivated (it is good security to do this to avoid any back doors when SNC is used) then this parameter will not help. However, the feature I mentioned above in my other comment will help...

Also, I think the question was related to working from another terminal, not whether user can logon using SAP password or not. To be sure the possibilities are clear, I wanted to mention that if a user logs on to the domain from any worksation which is joined to the domain, then their domain credentials will be issued by AD during that logon and they can then be authenticated to SAP. There is nothing which ties a user to an actual workstation when using this approach.

>

> Regards,

> Effan

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

And just how secure is that, for example, if user logout the SAP but not lock their PC?

Well - in that case anyone might be able to read the user's mail (using Outlook), access his private files (even on remote file servers), etc.

Every user should be made aware of his obligations / duties.

When you leave your car unlocked, you will be kept liably for the consequences ...

0 Kudos

Mr. Tim,

Just out of curiosity, how do you configure that one SAP user can be accessed by many AD users.

I mean, the mapping process is 1 to 1 in SU01 right? which is SAPUser/DomainUser.

Can it be concurrent?

Also, my principle insist that the user must logon again against Active Directory's user password when accessing SAP Logon.

Can you please tell me the partner product that support this? If you don't mind, maybe the contact number.

Thanks for your help.

Best Regards,

0 Kudos

In fact, the mapping is 1:many and not many:many (which is what you want)

There is only room for one SNC name in the SAP user record, so it is not possible for 1:many or many:many, only many:1

Regarding the partner, I gave a link to the vendor on EcoHub earlier in this thread. It is not possible to mention telephone numbers in SDN threads. You can also check my business card if you like.

0 Kudos

Mr. Tim.. a bit confused.

Which user is many and which user is 1?

So the conclusion is, using SSO, it is impossible to concurrent login?

Regarding the partner product, is it the same as Realtech?

I mean the concept become "Integration of SAP central user administration With Microsoft Active Directory"?

Best Regards,

0 Kudos

>

> Mr. Tim.. a bit confused.

> Which user is many and which user is 1?

1 Active Directory user account (e.g. SNC name) can be mapped onto many SAP users via entry in SU01 (stored in USRACL)

You were asking for many:1 or many:many, which is not possible.

If you have many AD users who need to logon as same SAP user, then this is against SAP licensing becasue it means users are sharing SAP accounts. Instead of this you need to give each user their own SAP user account.

>

> So the conclusion is, using SSO, it is impossible to concurrent login?

I am not sure what you mean by concurrent login. It is possible for an AD user to logon more than once, so they are logged on concurrently, and they might be logged onto more than one SAP user account becasue there is possibility for their SNC name to be mapped onto more than one SAP user in the user database.

> Regarding the partner product, is it the same as Realtech?

No, it is called CyberSafe. If you follow the link to the product on EcoHub that I gave earlier, you will see it points to the CyberSafe Secure Client product, which is what you need if you want to authenticate users each time they logon to SAP, using Kerberos/Active Directory.

> I mean the concept become "Integration of SAP central user administration With Microsoft Active Directory"?

Sorry ? What is your question ?

>

> Best Regards,

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

Just out of curiosity, how do you configure that one SAP user can be accessed by many AD users.

Sounds like you intend to practice account sharing ...

0 Kudos

I see.. thanks for answering.

Yes, I know if it is that one AD user has many SAP users. It will be possible.

Again, just out of curiousity, gurus. Not intended for abuse practice.

Mr Tim, I mean, have you do a SAP CUA integration with Active Directory?

So the SAP user will be created and maintained in Active Directory.

The user will then synchronized to SAP using special report.

I don't know if that has the same concept as your partner product.

Best Regards,

0 Kudos

>

> I see.. thanks for answering.

> Yes, I know if it is that one AD user has many SAP users. It will be possible.

> Again, just out of curiousity, gurus. Not intended for abuse practice.

ok, glad you understand now.

>

> Mr Tim, I mean, have you do a SAP CUA integration with Active Directory?

> So the SAP user will be created and maintained in Active Directory.

It is possible to sync user records with AD using LDAP connector, and this approach is commonly used. The users password is not synced, so this complements an SNC auth solution which we have been discussion, as SNC does not requrie a SAP password to be maintained.

> The user will then synchronized to SAP using special report.

Yes, that is correct. I can't remember the name of the report, but this has been done by some of our customers and it works well.

> I don't know if that has the same concept as your partner product.

no, the partner product we have been discussing provides SNC auth, and the connection between CUA or any SAP ABAP system and MS AD is done using LDAP and using standard SAP functionality.

>

> Best Regards,

0 Kudos

I see, so the integration itself is not the answer, because the password is not synced.

Regarding your partner product, may I know the concept?

Is it that SAP itself stores username and password for R/3 system, but it is synced with AD account, or SAP doesn't store any password, but just authenticate to AD account using the mapped username?

Thanks for your help.

Best Regards,

0 Kudos

>

> I see, so the integration itself is not the answer, because the password is not synced.

It is not possible to use LDAP report to sync password from AD, and also CUA does not sync passwords between SAP systems. This is why it is complementary to using SNC authentication, because when you use SNC the SAP password is not needed, and often is deactivated to avoid any "back door" access.

>

> Regarding your partner product, may I know the concept?

Which aspect of it do you need concept ? Are you just asking about the way it authenticates users each time a user logs onto SAP ? This is done by getting Kerberos credentials during the SAP logon instead of using the Kerberos credentials which might already be on workstation from the users initial logon to the domain.

> Is it that SAP itself stores username and password for R/3 system, but it is synced with AD account, or SAP doesn't store any password, but just authenticate to AD account using the mapped username?

When you use SNC, SAP can still store passwords, but SNC is not using the SAP password. In this case, the user only has the AD account password to use and doesn't need a SAP password.

>

> Thanks for your help.

> Best Regards,

0 Kudos

Thanks for your explanation. It's pretty clear to me.

When using that product, is the username mapping the same as that of SAP, via SU01, SNC tab?

And if it is using kerberos credentials, what is the logon looks like? Is it the generic SAP logon with username, password, and client?

Thanks for your help.

Best Regards,

0 Kudos

>

> Thanks for your explanation. It's pretty clear to me.

>

> When using that product, is the username mapping the same as that of SAP, via SU01, SNC tab?

Yes, of course. Nothing changes on server side. The client side is only changed to authenticate the user during the logon to SAP. There are many configuration options available, which can be explained when you talk to the vendor (e.g. me).

> And if it is using kerberos credentials, what is the logon looks like? Is it the generic SAP logon with username, password, and client?

The logon screen can be customized.

>

> Thanks for your help.

> Best Regards,

Former Member
0 Kudos

Thanks gurus for the explanation.

I think I've grasp the sso concept then.

We're using kerberos. So I must download first the SNC library for that particular one, right?

Mr. Tim, if you don't mind, could you elaborate me about this partner product you mentioned to me earlier?

I think our principal will go for that one, as means of security.

Thanks for your help.

Best Regards,

0 Kudos

>

> Thanks gurus for the explanation.

> I think I've grasp the sso concept then.

Thats good to know, glad to be of assistance.

>

> We're using kerberos. So I must download first the SNC library for that particular one, right?

You need an SNC library for SAP servers and also for workstations that implements Kerberos, and one that is SAP certified.

>

> Mr. Tim, if you don't mind, could you elaborate me about this partner product you mentioned to me earlier?

If you contact the partner they will give you the help you need. There is a limit to what can be described in this forum regarding non-SAP products.

> I think our principal will go for that one, as means of security.

Sounds good.

>

> Thanks for your help.

> Best Regards,

Former Member
0 Kudos

Sir, right now our server is not join domain.

Right now we're starting SAP as local user administrator.

According to SAP HELP:

snc/identity/as = p:SAPService<SID>@<KERBEROS_REALM_NAME>

where <KERBEROS_REALM_NAME> is the Kerberos realm that the SAPService<SID> user belongs to.

Should we create this user: SAPService<SID> in the domain?

And with administrator right?

Thanks for your help.

Best Regards,

0 Kudos

Hi,

There is no Kebreors realm if the server is not joined to a domain.

The SAP SNC library for Windows does not work if the server is not joined to the domain. If you prefer not to join the Windows server to the domain, then you can consider the SNC library from a SAP partner that supports SAP on Windows instead.

Thanks,

Tim

0 Kudos

Mr. Tim,

At the beginning of SAP installation, we choose that server is not join domain.

Now we want to join the server in the domain.

Is it possible?

I mean, the user and group is not created in the corresponding domain.

I see in notes that it is only possible by system copy.

Can't I just create SAPService<SID> user in the domain?

Thanks for your help.

Best Regards,

0 Kudos

Hi,

If you are using the SAP SNC library on Windows server, the server MUST be joined to the domain. This is because this SNC library uses the Kerberos functionality included in Windows operating system, which will not function unless Windows operating system is a domain member.

If you do not want to go through the hard work to change Windows to be a domain member, e.g. system copy, then your only option is to use the SAP SNC products from the SAP partner that I mentioned earlier.

Thanks,

Tim

0 Kudos

So, it can't be achieved by simply add SAP user with global admin right in the domain we want to join?

Best Regards,

0 Kudos

No, because Windows does not know how to communicate with the domain unless it is a domain member.

0 Kudos

Mr. Tim, I think you got the wrong idea.

Yes, right now our SAP Server is not domain-joined. It is now in WORKGROUP, not in domain.

Now, because SAP requires that the SAP Server itself must be domain-joined, we would like to change this.

We will include the SAP Server in the domain, let's say domain DWN.

Then, my question is, is it possible to just create the SAPService<SID> user in the DWN domain after the Server has JOINED DWN rather than doing a whole system copy. This way, SAP will not again started using local user, but instead, a DWN domain user.

Best Regards,

0 Kudos

>

> Mr. Tim, I think you got the wrong idea.

Yes, I understood that you didn't want to, or were unable to join the server to the domain.

>

> Yes, right now our SAP Server is not domain-joined. It is now in WORKGROUP, not in domain.

> Now, because SAP requires that the SAP Server itself must be domain-joined, we would like to change this.

> We will include the SAP Server in the domain, let's say domain DWN.

>

> Then, my question is, is it possible to just create the SAPService<SID> user in the DWN domain after the Server has JOINED DWN rather than doing a whole system copy. This way, SAP will not again started using local user, but instead, a DWN domain user.

I am afraid I don't know this answer. I am only familiar with the SNC solution that is not dependant on Windows domain membership, as this works differently to the SAP SNC library. Perhaps the info you need is in the documentation ?

>

> Best Regards,

Former Member
0 Kudos

Dear gurus,

I'm configuring the SSO for the first time, and there's this error upon configuring the parameter:

N Thu Mar 04 20:52:04 2010
N  SncInit(): Initializing Secure Network Communication (SNC)
N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)
N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)
N  SncInit():   found snc/data_protection/min=2, using 2 (Integrity Level)
N  SncInit():   found snc/data_protection/use=9, using 3 (Privacy Level)
N  SncInit(): found  snc/gssapi_lib=C:\Windows\System32\gx64krb5.dll
N    File "C:\Windows\System32\gx64krb5.dll" dynamically loaded as GSS-API v2 library.
N    The internal Adapter for the loaded GSS-API mechanism identifies as:
N    Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N  SncInit():   found snc/identity/as=p:SAPServiceNIQ@mykerberosdomain
N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1439]
N        GSS-API(maj): No valid credentials provided (or available)
N        GSS-API(min): SSPI u2u-problem: please add Service principal for own account
N      Could't acquire ACCEPTING credentials for
N  
N      name="p:SAPServiceNIQ@mykerberosdomain"
N  SncInit(): Fatal -- Accepting Credentials not available!
N  <<- SncInit()==SNCERR_GSSAPI
N           sec_avail = "false"
M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    230]
M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    232]
M  in_ThErrHandle: 1
M  *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c   10650]

What've I done wrong.

Thanks for your help.

Best Regards,

Former Member
0 Kudos

SSO's up and running

0 Kudos

Hi Lori

Can you share the steps of your configuration?

In my case I have this landscape:

ERP --> AIX

BI --> Windows 2008

Portal --> Windows 2003  (ABAP ume)

these server are no joined to domain, so I know that I have to join servers to domain customer, but por SSO authentication, Helpsap tells to use SAPserviceSID wich is a domain acount. but in may case I don't want to do system copy (is this the only option to convert local SAPservice user to domain accounts?)  I have in mind to create different uses in domain for every system and with these users (ex: sapSIDsso) do SSO configuration

Also in Portal I have to use SPNEGO Wizard in my case I have to use a new Wizard because of Portal Version SAP 7.0 sp23, and here tells tu create a service accoutn in AD and run spnego command, it doe`sn't tell to use SAPserviceSID of Portal system, for the reason I guess I can use another user for SSO in SAP GUI/ABAP system.

Also it is posible that users from diferent domains can use SSO SAPGui with ABAP systems that belong to one domain example:

ABAPsystem  : mydomain.com

Users  from : mydomain.com , yourdoimain.com