Luciana,

I am not sure if you are aware, but the Active Directory domain controller uses a protocol called Kerberos to authenticate a user when they logon to the domain. Therefore, to logon to SAP in the way you require it is best to use Kerberos so that the credentials for the user already available on the workstation, in the credentials cache can be used to securely authenticate the same user to the SAP system, e.g. CUA ABAP via SAP GUI. This means that no passwords need to be transmitted or stored anywhere, and the only authentication needed is that already done using Active Directory when the user logs onto their Workstation. Also, you can use this method to encrypt the communications - giving you added benefit, rather than just using the authentication provided.

This is achieved using an interface which SAP provided in SAP GUI and in SAP application servers called SNC (Secure Network Communications). For SNC to work, you need a GSS-API library installed on each workstation where SAP GUI is installed, and on the app servers you want to logon to using this secure authentication method. SAP provide SNC libraries, but they are only available if your SAP app server is on Windows. In your case where SAP is on HP/UX, you need to use an SNC library available from a SAP partner. This partner will provide you with all the software and support you need to make the solution work, and meet your needs.

I would like to recommend one such partner, but I am biased because I work for the vendor providing this product :-). The partner is called CyberSafe. You can make contact with me offline and I can arrange a free evaluation of the products, or you can visit the CyberSafe website at <a href="http://www.cybersafe.com/links/snc.htm">this site</a> to find out more. Or, you may decide to look for other partners who have solutions to help you, in which case you need to look on the SAP website for SAP SNC partners.

I hope this is useful ?

Thanks,

Tim

Michael,

Firstly, lets discuss the SAP GUI SNC solution, and how SSO can/cannot be turned off :

The Windows SNC library provided by SAP (only used when SAP server is on Windows) uses SSPI interface to Windows, so it will always use the credentials obtained when user logs onto a domain. It is therefore not possible to turn off SSO when using this library. However, the CyberSafe product that I discussed earlier, and from the company that I represent has functionality whereby a SignOn screen appears each time the user signs onto a SAP instance from SAP Logon. In this SignOn screen the user needs to enter a valid Active Directory domain user account and password so that Kerberos tickets can be obtained to authenticate the user to the SAP instance via SNC.

- I am not aware of any other product, from SAP or any other vendor that provides this same functionality when using Active Directory authentication protocols.

For HTTP access to SAP apps, either on ABAP or J2EE stack, the normal way to support Active Directory authentication is to use "Integrated Windows Authentication" (aka SPNEGO). This works well if you want SSO, but if you just want "common authentication" such that the user only has to know their AD useridpassword, and not remember any other useridpassword during logon to workstation or SAP, then you need a different technology. Again, (what a surprise!) the CyberSafe product has functionality to display a login screen in browser, and the userid and password entered into this screen is checked with Active Directory using Kerberos protocol. I beleive that SAP only provide the SPNEGOLoginModule which will give SSO, and is not what you are looking for.

Hopefully the above helps ?

Regards,

Tim

> In a second step the users can then access the SAP

> ABAP systems using SSO with SAP Logon Tickets.

> Since the users would be required to log on to the

> portal using their windows username and password you

> would achieve a second authentication as you wished.

The above is only true if you want to use a Web browser to logon to CUA ABAP system. If you want to use SAP GUI then you cannot use logon tickets in the way described, and must use SNC to authenticate using an SNC library that is capable of working with MS AD authentication technology.

Sorry but I have to correct you.

It is in fact one of the special features of the SAP NetWeaver Portal that allows you to use SAP Logon Tickets for SSO with SAPGUI as described in the <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/fe/13c43bb7137503e10000000a11402f/frameset.htm">SAP Online Help</a>.

This way the user can use the same credentials to log on to Active Directory and to the Enterprise Portal thus the user only needs to remember one password or is even logged on to the portal without having to enter any password if windows integrated authentication using the SPNego Login Module is used.

After being authenticated to the portal a SAP Logon Ticket is issued that can than be used to start any transaction using SSO with the SAPGUI for Windows.

Andre,

Thankyou for your correction. I was aware that SAP GUI can be launched from the browser, but in practice I have found (in my experience) that SAP customers rarely use this capability. Maybe this is not widely understood, or has technical issues which prevent companies from using it. I am not sure which, but it is good to know the option is there if it is helpful to meet customers needs.

Regards,

Tim

Patrick,

Thankyou. Yes, I can see some advantages of this method to launch SAP GUI. However, some customers are not using the portal in the way you describe so a different architecture suits these customer better. It depends on the customers needs.

Take care,

Tim