Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature?

Go to solution
former_member211162
Explorer

‎04-29-2014 7:34 PM

0 Kudos

Dear all,

I am looking to setup the use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature. We SSO to the backened ABAP AS via an SAP NW Portal to which SPNEgo kerberos authentication is setup. Today we specify R3 user id/password to digitally approvae a lot release. The idea is to have users maintain one AD password and don't have to remember the R/3 password anymore and also our Security team to avoid password maintenance.

I know there are 3 options for digital signature and


System signature with authorization by user ID and password (We use this currently)

Digital User signature with verification - (We would like to use this with AD userid/password, so the system still ask the users their AD userid/password for the authentication when they try to "sign" a document.)

User signature without verification

Do you think there is a way to configure the system in order to ask and check the active directory userid/password instead of SAP R/3 password? Where can I found documentation about it ?

I have several different versions of AS ABAP starting from NW 7.02 to NW 7.31.

My active directory is based on Windows 2008.

 

Thanks in advance!!

Dhee

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎04-29-2014 9:09 PM

0 Kudos

See also .

12 REPLIES 12

Go to solution
Former Member

‎04-29-2014 7:43 PM

0 Kudos

Take a look here:

http://wiki.scn.sap.com/wiki/display/Security/Security+Functionality+Wishlist-Topics

There is a solved request called "Electronic signature via LDAP based SSO" - SAP provides a BADI from which you can call the LDAP function modules to remotely verify an AD password.

Cheers,

Julius

Go to solution
tim_alsop
Active Contributor
In response to Former Member

‎04-29-2014 8:02 PM

0 Kudos

One of the challenges with using LDAP, is that an Active Directory user account might not be same as the SAP user, so how will the LDAP bind (initiated from the server) know what AD account to use when checking the password ? Instead of LDAP, if Kerberos is used, then the Kerberos principal name of the user can be used to check the users password, since this principal name is known when they logon to the system using SAP GUI with SNC authentication.

Go to solution
Former Member
In response to Former Member

‎04-29-2014 8:21 PM

0 Kudos

I guess it depends on whether you have a policy for unique identities also logged onto the PC who should have the option to digisig a document without SSO. Or whether you have managed to force SSO but have a mismatch of names.

For the scenario of roaming users at public terminals they are unlikely candidates to be digitally signing documents and you can keep the passwords alive and simple for them. The others are deleted.

I prefer this approach as it keeps the option of the SSO technology used open or whether a local password was used to logon even in some cases such as a webservice with signature based on some "owner" and not the logged on user. Forcing kerberos has limitations as well.

Cheers,

Julius

Go to solution
tim_alsop
Active Contributor
In response to Former Member

‎04-29-2014 8:33 PM

0 Kudos

Julius,

Many companies have a policy for naming users in their domains. Sometimes the name is <firstname>.<last name>. When this method of naming is done the same naming convention is not used in the SAP system so SAP user identity mapping is very important (e.g. via USRACL table). When names are not similar, then using LDAP simple bind with the BAdI is not going to be easy.

We could argue/discuss this for a long time, which I don't want to do, especially on SCN. I just wanted to make a point that this is not always as easy as it might seem. There are lots of gotcha's, as I have found. I have implemented this for dozens of pharma companies with SNC and it works well if done properly, and I didn't use LDAP...

Tim

Go to solution
tim_alsop
Active Contributor
In response to Former Member

‎04-29-2014 8:37 PM

0 Kudos

I forgot to comment on your statement about forcing Kerberos (not sure what makes you think Kerberos needs to be forced). Anyway, the BAdI implemention code can check if user is logged on using SAP password and check SAP password instead of checking their Active Directory password.

Go to solution
Former Member
In response to Former Member

‎04-29-2014 9:05 PM

0 Kudos

I suggest using Kerberos, it works fine when everything is configured once.

Go to solution
Former Member

‎04-29-2014 9:02 PM

0 Kudos

NWSSO has a Windows only implementation for classic GUI, see the application help and this discussion thread for details.

Go to solution
Former Member

‎04-29-2014 9:09 PM

0 Kudos

See also .

Go to solution
former_member211162
Explorer
In response to Former Member

‎04-30-2014 1:32 AM

0 Kudos

Thank you all for the quick responses. I will discuss this with my ABAP team and let you know how it goes.

However, what do I need to do to use Kerberos instead of LDAP?

Thanks

Go to solution
Former Member
In response to Former Member

‎04-30-2014 8:17 AM

0 Kudos

See SAP note http://service.sap.com/sap/support/notes/352295

Go to solution
Former Member
In response to Former Member

‎04-30-2014 5:09 PM

0 Kudos

Actually enabling Kerberos for SSO purposes and enabling Kerberos for digital signatures are two different topics although the latter is because of the former. I'm interested in the topic as well and I'm currently looking at different options. SAP provides a BAdI for the digital signature API which can be used for external authentication but they do not provide the solution to invoke Kerberos authentication based on username and password. SAP provides a semi solution with NWSSO 2.0 SP2 which works only on Windows with classic dynpros meaning SAP GUI for Windows is assumed. The solution is based on an ActiveX component which does the actual Kerberos authentication using the Secure Login Client which is part of the NWSSO suite. Extending that implementation to non-Windows and non-GUI applications would require some sort of web enabled service that could be used to authenticate the user with username and password. In case authentication is successful, a Kerberos token would be returned to SAP which would then be validated. All the required pieces are there since SAP has Kerberos support now in both stacks of the NetWeaver Application Server, some bits are still missing though which leaves customers looking at 3rd party or custom solutions.

Go to solution
former_member211162
Explorer
In response to Former Member

‎04-30-2014 6:02 PM

0 Kudos

Thanks Samuli. You have summarized what I was going to say. We are already using Kerberos/SPNego authentication to SSO to the SAP Portal and then SSO to the backened AS ABAP.

I did read about the NWSSO's Secure Login Client and since we are windows based that could be a potential solution. However, I am exploring solutions/options on how to achieve AD based username and password authentication without using the NWSSO. That could be via LDAP or Kerberos. But since, Kerberos is not an option with the SAP supplied BAdI for the digital signature, I will explore the option of LDAP and let you know how it goes.

Thank you all for the contributions.