Skip to Content
Aug 21, 2014 at 01:43 PM

SAP SSO with X.509 automate process with RSUSREXT



we trying to implement SAP SSO with x.509 certificates for HTTPS access (NWBC)

Environment is: Windows 7 clients, Internet explorer, Netweaver ABAP 7.31 on Win 2008 r2, Win PKI.

I've done the following steps:
1. Configured SAP to accept certificates.

2. Created certificate template "SAPSSO" in our PKI (Build from AD information, Subject name contains "Fully distinguished name", include e-mail, include User principal name in subject alternative name)

3. Started certmgr.msc on my client and requested a new certificate from the "SAPSSO" template.

The new cert is stored on my client in my certifcatelist in certmgr.msc (later this should be done with AD autoenrollment)

4. Activated the certmap service in SICF https://mysapserver/sap/bc/webdynpro/sap/certmap

5. Open the certmap service in my browser an link the certificate with my sap username.

6. Check entry in table USREXTID. The certmap service created an "DN" (distinguished name) entry for me., CN=Firstname Lastname, OU=User, OU=town, OU=AG, OU=DE, DC=company, DC=net

7. Import Master certificate in STRUST

From this point everything is working fine for my user.

Now i want to generate the entries of the USREXTID table with the RSUSREXT report.

The report generates the SAP Username as part of the DN.

For example i am able to build this DN with RSUSREXT:, CN=MYSAPUSERNAME, OU=User, OU=town, OU=AG, OU=DE, DC=company, DC=net

But this DN does not match my DN in my certificate!

My problem is now, i do not have my username in the DN of my certificate. Because of this, i cannot generate the tableentries with this report.

In this KBA Andre FIscher is talking about implementing policy modules for the certificate template to be able to generate the Windows

sAMAccountName into the DN.

"Reading other attributes than common name or fully distinguished name from the AD is a little bit trickier and requires a custom policy module."

Single Sign-On for SAP NetWeaver Leveraging X.509 Certificate Auto Enrollment in Microsoft Active Directory

I accived to change the template, that the principalname=MYADUSERNAME is added as an subject alternative name in my certificate.

But i dont know how to fill the USREXTID table to match SANs in my certificate.

Does anyone has an solution for the AD certificate template to generate the AD account name in the DN?

Or does anyone know how to fill the USREXTID table that the principalname is matched?

(PS: SAP Username and AD name is the same for all of our users)

Kind regards