Skip to Content
0
Former Member
Apr 24, 2014 at 01:34 PM

Implementing SAP password rules in Active Directory?

234 Views

Hi guys

We have implemented SAP Secure Login Server and SAP Login Client in a retail company. This works very well for our GUI users. Most of our users in the shops however, logon to the SAP systems through a browser. We have enabled the single sign on to the BSP, ABAP Web Dynpro and Java Web Dynpro pages using the Secure Login Server as intermediary. A redirect application is setup on the SLS to redirect to the various different Netweaver servers after issuing a SAP logon ticket. This all works very well, but our project sponsors would like a fall back solution in case the SLS for some reason is not available or able to authenticate the users. The assumption is that once the users get used to single sign on they will have forgotten the original password to their SAP user id's by the time the single sign on setup for some reason is not functioning.

The idea thus came up to synchronize user passwords from AD to the SAP systems and we do have an Microsoft ILM setup that appears to be capable of doing exactly that. However, the problem now is, that the password rules implemented by default in the SAP systems, are more restrictive than the password policy in place in AD. Consequently we may very well have the case that a user selects a new password in AD which is not strong enough to be synchronized to the SAP systems. We then thought that it might be an option to implement the SAP password rules in Active Directory, but this does not seem to be trivial. Would you have any suggestions to how we can solve this problem? Our Active Directory is based on Windows 2008.

Best regards,

Anders