on 12-30-2014 10:08 AM
Hi Experts,
Today we have done few configuration related to AD and UME integration which doesn't go well. Please provide your valuable suggestions to overcome the issues. Steps what we followed are :
1. We have created service user in Ad
2. Configured service user with SPN (service prinicpal name)
3.Logged into nwa : http://hostname:port/nwa
4. Done UME configurations, please check attached doc for screenshot
5.Restart AS Java
We are looking to load the AD users into UME, could you please suggest what needs to be done after these steps.
Thanks,
Lokesh
But those users can login to the portal?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Okay, okay, okay... now I get it. You're not talking about the IDM product, but the portal user administration, where you try to add the AD as data source for the users, right?
If you click on the "Validate configuration" button (from your first screenshot) on the UME configuration page for the LDAP server, is it coming back as successful?
Are the users in the portal group "Authenticated Users"?
Judging by your screen-shot, you haven't provided a user path. pick one of your AD users that can't log in and find their location in Active Directory. Provide this location in your LDAP UME config and restart the system... then try to log in again with that user.
<KC>
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hmmm. Well based on all that, there's really only two reasons I can think of to explain why those users aren't able to log on...
1. the samaccountname property of those users aren't populated with the logon ID. Note that samaccountname is your unique identifier based on your LDAP UME config (this is customizable, if you want)
2. identical user IDs exist in the local database as well (on the SAP system). If there is ever ambiguity then the app can't determine which occurrence of the ID is authoritative so it excludes the ID. I'd check the local user store in SAP to see if you have the same IDs defined there (matching the IDs in Active Directory). If so, you need to delete them from one or the other... ID can only exist once.
If those don't fix this, I recommend finding the closest window and throwing this system out because it's obviously cursed. ;o)
<KC>
That's really a question for whomever maintains your AD because it can vary from one installation to the next. In general, there are default properties for all user IDs in your AD domain that each/every user will have populated. What you need to know from your AD folks is whether the samaccountname property is populated with the logon ID for these users.
If it's not, you have two options... ask those same AD folks to populate that property with the users' logon IDs and make that a requirement for all new users moving forward. -OR- find another property that DOES contain the logon ID and modify your LDAP UME config to reference that property instead of samaccountname.
<KC>
Hello Lokesh,
we're not so great in mind reading here. So you need to share, what exactly "doesn't go well". If you just need more steps to do, you should consult the documentation. Searching here on SCN also helps a lot, but we're not going to do that for you.
So please share sone more information where you are stuck and need help.
Regards,
Steffi.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Steffi,
Thanks for response. we have tried to do AD and UMe integration in our environment, but AD users were still unable to login to IDM UI with their AD credentials. Here, I m able to fetch users from AD to UME.. and able to see users in UME as well. But those users were still unable to login to IDM UI.
Could you please provide any documents which helps us doing in AD and UME integration and provide your valuable suggestion on this.
Thanks
Lokesh
You need to assign the IDM actions via IDM portal roles to those users. How to do that is explained very well in the IDM documentation. Just have a look at the startpage of this space to find the documenation links and from there you'll find the implementation and security documentation to complete your setup.
Regards,
Steffi.
Hi
When we try to access IDM UI i.e
with username as : AD user and AD password (which is fetched in IDM UME LDAP as datasource)
Error : authentication failed
LOG wht we found in UMe is :
LOGIN.FAILED
User: N/A
IP Address: ******
Authentication Stack: sap.com/tc~wd~dispwda*webdynpro_dispatcher
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok exception true Authentication did not succeed.
3. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok true
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.