Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAPGUI and Portal Authentication using AD Credentials with usr/passw prompt

Former Member

‎08-30-2007 9:38 AM

0 Kudos

Hi Experts,

We have the following requirements:

1. Portal/EP has UME set to ABAP (in other words using ECC6 system's user/password).

2. ECC6 user-id's differ from Active Directory user.

3. User logs in to Active Directory.

4. User wants to log on to SAPGUI (ECC6 system), with a user-name password prompt, using the Active directory Credentials.

5. User wants to log on to Portal/EP, with a user-name password promt, using the Active Directory Credentials.

The following suggested solution was the closest to the requirement (without to much technical detail):

1. For SAPGUI, implement SSO on the workstation GUI's and maintain the Active Directory user in transaction SU01 in the ALIAS field.

This should enable the user to, after having logged onto the Active Directory, to open the SAPGUI and WITHOUT user-name password prompt, be authenticated and logged into SAP. This would entail settings to be done on each workstations GUI.

2. For the Portal/EP, implement Kerberos on the portal, setting it to authenticate to the AD. As per note 935644 maintain an additional attribute on the UME, to enable the mapping between the UME and the AD users.

This should enable the user, after having logged onto the Active Directory, to open Internet Explorer, go to the Portal URL, and be authenticated and logged into the portal, without WITHOUT user-name password prompt.

Do you know the viability of this solution, or whether there is any better suggestion (especially to keep the user-name password prompt, and without changing the ECC6 or Active directory users).

Regards.

1 REPLY 1

tim_alsop
Active Contributor

‎08-30-2007 9:46 AM

0 Kudos

AJP,

The description you have given is an exact description of the capability of our product. I represent a company called CyberSafe, and our products are designed and sold to SAP customers for integrating the SAP user authentication with Active Directory authentication. We have some unique features in our product which you could benefit from, e.g. our SAP GUI SNC library has the ability to popup a logon screen asking user for Active Directory account and password before it logs the user onto SAP. Also, when the SAP system has authenticated the user, either via the Web browser or via SAP GUI their Kerberos principal name (determined from AD account name and domain) is mapped onto a SAP user using a table in the ABAP system. The browser authentication even uses this same table for mapping so that an authenticated account name does not need to be same as the SAP user they log onto.

If you would like to discuss our product more, and/or arrange a free evaluation please contact me using the email address in my SDN business card.

Thankyou,

Tim