Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to login CRM 2007 BSP page use account domain of Microsoft AD

Go to solution
Former Member

‎06-17-2010 5:30 AM

0 Kudos

Dear friends,

I am finding solution to setup system with the requisite:

- Login to CRM 2007 Business Server Page use account domain which is managed by Microsoft Acitve Directory.

- Users use only web browser, they didn't use SAPGUI and they must type username, password ( their username,password are managed in Microsoft AD, not in SAP system) in every login to BSP page, don't use solution like X.509 client certificate.

I used to configured using SNC and I could login to SAP System using SAPGUI without type SAP username and password when I log in my computer by account domain( my computer is joined in domain).

But my requisite is have to use account domain( username and password) and type them in web browser when I want to log in SAP system, could not configured to go to directly SAP application ( BSP page ) without type username/password of account domain.

After time looking for solution about authentication :

http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/8039306e-cea4-2a10-15b9-8e96d40c51ef [original link is broken]

I think may be I could login to java portal by used username/password of account domain to authenticate after login to portal I use SSO to switch to BSP page without type username password again. This solution may be accepted because I was login to SAP application from web browser and used account domain.

Could you show me, there are anymore solution or how could I do to to set up my above solution.

Thanks and Best Regards.

1 ACCEPTED SOLUTION

Go to solution
tim_alsop
Active Contributor

‎06-29-2010 7:59 AM

0 Kudos

The normal way to do this is to configure the authentication stack required on a JAVA stack (e.g. portal or standalone Java instance of NetWeaver or dual stack) and then configure the BSP app in SICF transaction to redirect to Java stack when no SSO2 ticket is sent by browser (e.g. user has already authenticated). The redirect to Java stack will be done, such that after user has authenticated to Java stack they will be issued with an SSO2 ticket and redirected back to the BSP app URL. From end users perspective, they will access the BSP app URL and get authenticated using Active Directory, and they won't know about the redirection since they will be logged into the BSP app once they have authenticated.

The authentication using Active Directory can be done using two methods:

- Using credentials already on workstation from workstation logon, e.g. using Integrated Windows Authentication

- Showing user a form where they enter AD account and password.

Thanks,

Tim

4 REPLIES 4

Go to solution
Former Member

‎06-28-2010 9:36 PM

0 Kudos

Hi ,

I totally agree with you regarding the SNC it will work with only ABAP stacks via single sign on.

Since you need the BSP to work through the portal ,

SPNEGO

&

SAML ( Netweaver latest version )

could be an option work with your Basis team on this also please see if the below link can provide you more information

http://help.sap.com/saphelp_nw70ehp2/helpdata/en/ca/f8b53a364e0e5fe10000000a11405a/content.htm

Go to solution
tim_alsop
Active Contributor

‎06-29-2010 7:59 AM

0 Kudos

The normal way to do this is to configure the authentication stack required on a JAVA stack (e.g. portal or standalone Java instance of NetWeaver or dual stack) and then configure the BSP app in SICF transaction to redirect to Java stack when no SSO2 ticket is sent by browser (e.g. user has already authenticated). The redirect to Java stack will be done, such that after user has authenticated to Java stack they will be issued with an SSO2 ticket and redirected back to the BSP app URL. From end users perspective, they will access the BSP app URL and get authenticated using Active Directory, and they won't know about the redirection since they will be logged into the BSP app once they have authenticated.

The authentication using Active Directory can be done using two methods:

- Using credentials already on workstation from workstation logon, e.g. using Integrated Windows Authentication

- Showing user a form where they enter AD account and password.

Thanks,

Tim

Go to solution
Former Member
In response to tim_alsop

‎06-29-2010 9:47 AM

0 Kudos

Hi Tim,

Thanks for your answers, I have understand your stratergy but I dont know how to do clearly. Could you tell me something step by step.

When I create customer message, the tell me I should change UME datasource: 

To do so, you need to adjust your datasource of the UME to use
AD+database mode. But some of the changes of the datasource are not
supported by SAP(e.g if you was using ABAP database as your datasource
no change is possible.), so please firstly check this refer to the NOTE
718383.

Go to solution
tim_alsop
Active Contributor
In response to tim_alsop

‎06-29-2010 10:37 AM

0 Kudos

I beleive that the SAP SPNEGO login module requires that on dual stack system that UME points to AD, not ABAP. The only solution I am aware of is to use third party SAP certified application, such as http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokeradapter

Thanks,

Tim