Patrick,

I hope you don't mind, but I wanted to explain why I responded to Krishna in the way I did.

I did not suggest anything which was suggesting this could be done directly, but thank you for giving the link to SAP partner directory. I know that SAP docs often refer to SSO when involving SNC and SAP GUI, but SSO is not always required by the SAP customer. Some customers like to authenticate each user who logs onto SAP using SAP GUI via. a common ID and password (or other form of authentication). Also, some customers like to use SNC with SAP GUI just for encryption and integrity of communications, so SSO is not required in this case.

Since Krishna didn't ask for SSO, I didn't mention SSO and didn't want to assume anything until my question about Active Directory was answered.

Thanks,

Tim

> You can get rid of this also if you have netegrity's siteminder,

> which can be integrated with active directory, so in

> the nutshell all you have to do is sign on to NT/

> windows and you are all set.

>

Nixon,

Can you explain the above in more detail please ? I am interested in how SiteMinder integrates with Active Directory ? Do you have any links to information which explain this level of integration ? I was under the impression that SiteMinder is normally installed on Web servers, e.g. on Windows servers, or external ITS server running ITS. Is the ITS PAS module the one you are referring to ?

Cheers,

Tim

Nixon,

Thankyou. Yes, this helps.

In summary - the Active Directory integration is provided because the Windows web server running IIS is using Integrated Windows Authentication to authenticate the user logged onto the workstation. This user is then put into a HTTP header variable, so that the SAP Header Variable login module can be used to determine the SAP user id to use.

- is this correct ?

Regards,

Tim

Judson,

See my comments below :

> Actually, the use of IIS is for Active Directory

> integration using NTLM. This method is "out" though -

> unless otherwise needed.

In fact, IIS supports Kerbeors and NTLM for Integrated Windows Authentication (if enabled in IIS security configuration). Unless you are running a very very old version of IIS and/or not using Active Directory as domain controller then NTLM is only available, so sine this is unlikely we generally assume Kerberos is being used when referring to Integrated Windows Authentication in IIS web servers.

> In general, SAP are recommending the use of Kerberos for unauthenticated

> sign-on. Obviously the KDC infrastructure must be in-place as a prerequisite.

Yes, the KDC is Active Directory.

> About the header variable, I am not sure what IIS

> Integrated Authentication does with the IISProxy but

> I don't think that it's like the header variable

> integration like SiteMinder or other EAM tools use.

With IIS proxy (which SAP do not support anymore) the IIS server authenticates the user using Kerberos (via GSS-API and SPNEGO protocol between browser and web server) and then the HTTP header variable populated by the IIS proxy is used by the NetWeaver login module. If products such as SiteMinder or other EAM tools, or IBM WebSeal etc. then these products will obtain the ID of the user from somewhere, and this might include taking the ID of the user who has authenticated using Integrated Windows Authentication (e.g. Kerberos).

> When you use header based authentication - the

> browser hits the EAM, the EAM proves the user (VIA

> another mechanism against the AD or other), inserts

> the header (in the case of siteMinder it's SMUSER=)

> and then forwards the request onto the J2EE where the

> authentication stack receives and trusts the header,

> extracts the UserID from it and checks the group

> assignment from the user datasource. Finally, it

> relates the Group assignment to the role VIA

> role==>group mapping and the user sees their stuff.

Yes, this is roughly correct.

> That's it in a nutshell...

>

> So to answer to your questions:

>

> 1/ Active Directory integration can be provided VIA

> IIS or Kerberos, both are based on the domain logon

> already done

I understand what you are saying, but "VIA IIS or Kerberos" suggests it is one or the other, but IIS is using Kerberos, or IIS might have another product installed which is authenticating the user, or it might be using Basic Authentication - in any case the ID of user is put into a HTTP header and this is used by NetWeaver to determine who the external user is, and then this is mapped onto a SAP user ID.

> 2/ Header based logon is a different scenario but

> your guess at the process is basically right. The

> only difference is that the IIS doesn't use header

> based authentication. You can replace IIS with an EAM

> like Tivoli or SiteMinder.

I am not sure what you mean by this. Surely when IIS has an EAM product installed it will be authenticating the user and putting the ID in the header.

> Again, I hope that this helps. Clarity is important

> when understanding the options.

Yes, I agree.

Regards,

Tim