06-17-2010 5:30 AM
Dear friends,
I am finding solution to setup system with the requisite:
- Login to CRM 2007 Business Server Page use account domain which is managed by Microsoft Acitve Directory.
- Users use only web browser, they didn't use SAPGUI and they must type username, password ( their username,password are managed in Microsoft AD, not in SAP system) in every login to BSP page, don't use solution like X.509 client certificate.
I used to configured using SNC and I could login to SAP System using SAPGUI without type SAP username and password when I log in my computer by account domain( my computer is joined in domain).
But my requisite is have to use account domain( username and password) and type them in web browser when I want to log in SAP system, could not configured to go to directly SAP application ( BSP page ) without type username/password of account domain.
After time looking for solution about authentication :
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/8039306e-cea4-2a10-15b9-8e96d40c51ef [original link is broken]
I think may be I could login to java portal by used username/password of account domain to authenticate after login to portal I use SSO to switch to BSP page without type username password again. This solution may be accepted because I was login to SAP application from web browser and used account domain.
Could you show me, there are anymore solution or how could I do to to set up my above solution.
Thanks and Best Regards.
06-29-2010 7:59 AM
The normal way to do this is to configure the authentication stack required on a JAVA stack (e.g. portal or standalone Java instance of NetWeaver or dual stack) and then configure the BSP app in SICF transaction to redirect to Java stack when no SSO2 ticket is sent by browser (e.g. user has already authenticated). The redirect to Java stack will be done, such that after user has authenticated to Java stack they will be issued with an SSO2 ticket and redirected back to the BSP app URL. From end users perspective, they will access the BSP app URL and get authenticated using Active Directory, and they won't know about the redirection since they will be logged into the BSP app once they have authenticated.
The authentication using Active Directory can be done using two methods:
- Using credentials already on workstation from workstation logon, e.g. using Integrated Windows Authentication
- Showing user a form where they enter AD account and password.
Thanks,
Tim
06-28-2010 9:36 PM
Hi ,
I totally agree with you regarding the SNC it will work with only ABAP stacks via single sign on.
Since you need the BSP to work through the portal ,
SPNEGO
&
SAML ( Netweaver latest version )
could be an option work with your Basis team on this also please see if the below link can provide you more information
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/ca/f8b53a364e0e5fe10000000a11405a/content.htm
06-29-2010 7:59 AM
The normal way to do this is to configure the authentication stack required on a JAVA stack (e.g. portal or standalone Java instance of NetWeaver or dual stack) and then configure the BSP app in SICF transaction to redirect to Java stack when no SSO2 ticket is sent by browser (e.g. user has already authenticated). The redirect to Java stack will be done, such that after user has authenticated to Java stack they will be issued with an SSO2 ticket and redirected back to the BSP app URL. From end users perspective, they will access the BSP app URL and get authenticated using Active Directory, and they won't know about the redirection since they will be logged into the BSP app once they have authenticated.
The authentication using Active Directory can be done using two methods:
- Using credentials already on workstation from workstation logon, e.g. using Integrated Windows Authentication
- Showing user a form where they enter AD account and password.
Thanks,
Tim
06-29-2010 9:47 AM
Hi Tim,
Thanks for your answers, I have understand your stratergy but I dont know how to do clearly. Could you tell me something step by step.
When I create customer message, the tell me I should change UME datasource:
To do so, you need to adjust your datasource of the UME to use
AD+database mode. But some of the changes of the datasource are not
supported by SAP(e.g if you was using ABAP database as your datasource
no change is possible.), so please firstly check this refer to the NOTE
718383.
06-29-2010 10:37 AM
I beleive that the SAP SPNEGO login module requires that on dual stack system that UME points to AD, not ABAP. The only solution I am aware of is to use third party SAP certified application, such as http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokeradapter
Thanks,
Tim