Julius Bussche wrote:

I think he wants to enter the AD password into the SAPGui logon screen and it should actually call the AD to verify the password entered.

Yes, that is my understanding as well. This is why I explained that our product can do this. When SAP GUi for Windows or SAP GUI for Java is used, the SNC library is used for authenticaiton. When SNC is used, the traditional SignOn screen is not used, but the SNC library on the workstation can ask user for details (userid+password) and use this to get a Kerberos ticket from AD which will then be used to establish a security context with SAP server via GSS-API and using the SNC interface.

For Web based access to SAP, when SAP GUI for Windows/Java is not used, the use of custom login modules (as my last post explained) can provide what is needed.

This is not possible without a very unreliable "hack" as the login modules are "hardcoded" and not accessible.

As explained above, this is not a hack. The SNC library on client can authenticate the user before passing the GSS token back to SAP GUI. Also, a custom login module can be used to authenticate the user using AD account and password.

So the answer is no.

Sorry, but the answer is a very big YES.

Conclusion: Look for an "as close as possible" alternative which can mimic the AD authentication beforehand and then pass the SAPGui logon in a secure manner, which is what some 3rd party products and portals with "launchpads"  do.

There is no need to mimic AD authentication. It is possible to use REAL AD authentication (naming Kerberos) to provide a very useful solution to this exact problem that is being described.

But the answer is still "no" --> not possible.

The answer is in fact "yes" --> it is possible

Edited by: Julius Bussche on Nov 11, 2010 10:33 PM

Formatting fixed

Julius Bussche wrote:

You cannot enter the AD password into the SAPGui logon screen, unless you "hook" it to synchronize them or you prior authenticate the user.

I didn't say you should/need to enter AD password into the normal SAP supplied login screen. Instead, you use SNC and when SNC is used, the user needs to authenticate before logging onto SAP. This can be used to ask user for their AD account and password when the logon to a SAP system (e.g. press Logon button in SAP Logon) and use the AD account and password entered to get a Kerberos ticket, which will then be used by SNC to authenticate them to SAP. When SNC is used by SAP for user logon, the normal SAP supplied SignOn screen is not used/shown. I don't consider this to be a hack or involving any synchronisation of users/password - it is a very secure and clean way to solve the problem being discussed. I can demonstrate it being used if you like ?

The answer is in fact "yes" --> it is possible

 No it's not.

Yes, it is. I think the reason for the disagreement is that you are thinking "it" is something different to what I consider "it" to be in the context of this thread.

You can mimic it (probably in a much more secure way, like yours) but you cannot enter the AD password in the SAPGui logon screen and expect it to work (without co-incidence...).

Please show me where I (or anybody else) said it was necessary to enter AD password into SAP GUI logon screen ? I think you are saying something is not possible, but nobody said it was possible.

Edited by: Julius Bussche on Nov 11, 2010 10:35 PM

Formatting fixed

Julius,

Looking at the previous posts again, what happened is.

1. I explained the only way the requirement stated can be solved.

2. You made an assumption that the thread owner wanted to enter the AD password into SAP GUI logon screen. He didn't say he needed this - he said that he wanted the user to be logged in without being logged in automatically (which would normally be the case with SSO / SNC logon to SAP).

3. Because you made an assumption about the way this should be solved, your thread was read by myself and possibly other people and it gives the impression that the thread owners requirements are not possible to be met, which we both know is clearly not the case.

I hope this straightens up the dissagreement/missunderstanding ?

Thanks,

Tim

Julius Bussche wrote:

> Original question: When a user gets a logon screen to any SAP system, the SAP system must then forward the user ID and password combination to the AD for authentication. If AD approves, the user is then allowed to login.
The guru wants the same for SAPGui logon screen --> not possible.

No, he actually says "a logon screen". He does not mention "the SAP logon screen". This is where you have made a big assumption and caused a missunderstnading.

However, the subject title is:
Using AD as the UME ( but not exact SSO configuration )

Hmmm.. so what is "UME"? 

The UME (User Management Engine) is an interface provided on SAP JAVA AS for user authentication. It is used by custom logon modules to authenticate users. This is why I gave my answer explaining how a product which includes such a login module can handle the requirement for Web browser logon to SAP. He then mentions SAP GUI (not in thread subject) so I assumed he wanted to implement this requirement for both Web logon and SAP GUI logon.

Lets wait for clarification (in the meanwhile I will fix the formating to use the "quote" tags... chevrons don't work at the moment since a patch was applied).

Oops. I thought it looked funny

Edited by: Julius Bussche on Nov 11, 2010 10:43 PM

Now it looks better. Please use quote tags only (at the moment) or preferable do not quote at all because the chevrons don't work.