Hi Tim,

Thanks for your reply, and i am wonder how to perform the No.1 item which you mentioned Change SAP so that user authentication is performed using Active Directory credentials?

For my case,

I have done some steps in my current system:-

1) Generate a keytab file (token/ticket) from Windows 2008 (KDC)

2) Merge and applied to keytab into the ERP Server (Linux Suse10) through Kinit command.

And is LDAP sync with AD is a must? in order to perform user management in Active Directory?

Thanks,

Thomas

Thomas,

Item 1 is implemented using SNC so an SAP certified SNC library that supports Kerberos is best. I strongly suggest you look at http://ecohub.sap.com/catalog/#!solution:trustbrokersecureclient to do what you want.

No, ldap sync is not required. It is optional.

if you just want to use Active Directory for user authentication and then maintain all other user params in su01 then you don't need to use ldap sync. With ldap sync the password cannot be synced, so using SNC together with ldap sync is complementary.

Tim

Hi Tim,

Is it possible to implement the AD authentication without purchase any third party software?

Such as: TrustBroker (Secure Client)?

I have generated keytab file from KDC with kerberos token, and i have successful install the keytab file into Linux (SAP Application Server).

If now i just go for LDAP with Sync AD, it will be work or not?

Thanks,

Thomas

Thomas,

You can try to make the Kerberos libraries in Linux work with SAP, but you might take a long time with this and not get any help since this method is not supported by SAP. If you use this method and get issues, SAP will not help you. If you use a SAP certified product instead you will be fully supported.

To make kerberos libraries on Linux work with SAP via SNC there is a lot more required than just creating a keytab.

As I mentioned earlier, the ldap sync is not required and is not necessary if you just want to use AD authentication. This is required only if you want to maintain the info like user first and last name, address, department etc. in AD instead of in su01. The LDAP sync has nothing to do with authentication.

Thanks,

Tim

Hi Tim,

Thanks for your explaination, do you have any experience with generate Kerberos library in Linux and work with Active Directory?

Did you know the detail steps? I would like to try this out, if anyone who have experience before, kindly share your experience.

Thanks,

Regards,

Thomas

Thomas,

I only know how to setup the product documented on SAP EcoHub, that i mentioned earlier. You can see it being installed on a Linux system if you check the Demo link on the EcoHub page.

if you don't use a supported product, you are going to be on your own with this - I doubt you will get anybody to help you.

Thanks,

Tim

Hi Tim,

Can i explain to you my current idea for SAP integrate with Windows AD? See how do you think of this and maybe you can give some ideas too.

Let's assumed that we have a test server with AD and with ABC.DOMAIN.

A test PC which installed SAP GUI, has to be joined ABC.DOMAIN, and the PC required to login with Windows AD Authentication when startup the PC.

I am thinking of whether from AD server can generate a Kerberos cookie as a physical file and store it into the test PC without expired date or not.

Let's say it can be done, and then we do some setting in SAP GUI, to point the Kerberos Cookie file whenever user double click on the SAP connection, and the SAP will automatic using the cookie Authenticate and directly go in to Main Page of SAP without go through the login page.

How do you think of this? It is possible to make it?

Thanks,

Regards,

Thomas

Thomas,

The Kerberos protocol is a standard and it doesn't work the way you have described. What happens on Windows is that when a user logs onto an AD domain account, a Kerberos ticket is issued by AD and cached on the workstation. This ticket cache is secured in memory and destroyed when user logs off. This ticket is used by a SAP GUI SNC library to request a service ticket from AD which is specific to the SAP system the user is logging onto. The service ticket contains an encrypted principal name, which is the domain account and domain name of the user logged on to the workstation. The SAP server is then able to decrypt this service ticket to know who the user is, and map onto a SAP user and client. So, you can see that both workstation and SAP server need to have Kerberos libraries and this is where SNC is used for logon using SAP GUI.

Thanks

Tim

Hi Tim,

So i would like know as a conclusion this technical feasibility can be done right? I mean non-portal environment and it only ECC 6.0 with Linux Base and integrate with Windows Active Directory Authentication without 3rd party SNC tools?

Now i am very confuse how can i proceed with this.

Regards,

Thomas

Thomas,

I am sorry you are confused. I will try and summarise the options.

1. You can use Kerberos included with linux or install open source Kerberos, compile, modify, test etc. This is not supported and I doubt anybody on SDN community will be able to help you with this.

2. You can use a SAP certified commercially available solution which can be implemented quickly and is backed by quality support services, which are important if anything should go wrong when you use it in production.

Thanks,

Tim

Hi Tim,

Do you have any ideas of the price of SAP certified 3rd party tools?

Regards,

Thomas

Hi Tim,
> 
> Do you have any ideas of the price of SAP certified 3rd party tools?
> 
> Regards,
> Thomas

Yes, I do. However, I cannot share with you on this forum. Please feel free to contact me

Hi Tim,

Thanks for your help on previously, finally i get it works on the Windows Active Directory Authentication.

Thanks,

Best Regards,

Thomas

Thomas,

I hope you are aware that Secure Login is a licensed product so you would have to pay for it, just like you would if you purchased a product from a SAP partner ? I would like to suggest that you compare multiple products and choose the one which fits your needs best and compare features and prices etc.

Thanks,

Tim