11-02-2012 12:43 AM
Hi,
We are about to rollout SSO using Windows Kerberos/AD and SAP SNC functionality for our ABAP system users.
The intention is to allow users to use both logon methods i.e. SSO or password/username.
In the event that SSO fails at some point in the future, we need an approach to deal with the problems associated with users having forgotten their SAP passwords, or requiring a new password due to deactivation of the passwords.
For security reasons, we do not favor a 'standard' initial password value for all users; rather we would be happier with a unique password for each user, with a method of securely making this known to them.
Has any one else overcome this problem in a purely ABAP stack landscape?
Thanks,
Pete Derry.
11-02-2012 8:45 AM
Hi,
There are various techniques and tooling that could achieve this.
One method would be to write a program that uses FM like BAPI_USER_CHANGE to change a password for a user and then use another FM to trigger an email to the account associated with that userID. This approach isn't without it's drawbacks as the distributed passwords will be stored somewhere.
You also need to make sure that you carefully validate the accounts (e.g. exclude non-Dialog) which are passed into the modification request.
I'm sure there will be plenty of other options offered around this.