11-04-2015 3:33 PM
Hello,
i want to configure the SAP NetWeaver Single Sign-On for SAP GUI for Windows with Kerberos integration.
the SAP username is made from the first letter of the firstname and the family name "flastname" but the Kerberos token generated by the SAP secure login client is "CN=FIRSTNAME.LASTNAME@COMPANY.COM".
My question is the following: is there a way to use variables in the transaction SNC1 so that the SAP user "flastname" will be mapped to "CN=FIRSTNAME.LASTNAME@COMPANY.COM"?
Regards,
Hassan
11-04-2015 3:57 PM
There is the BAdi.
Go ahead and develop your own mapping logic.
Cheers! Lutz
11-04-2015 3:57 PM
There is the BAdi.
Go ahead and develop your own mapping logic.
Cheers! Lutz
11-04-2015 4:28 PM
I find that most customers use ECATT to update the USRACL table since this can be done easily without any code development. You just need to create an export from your Active Directory and use that in your script.
11-04-2015 4:55 PM
Hi Tim. I would be faster doing the ABAP I bet .
But there will probably be some manual actvity involved to resolve name collisions. In every company I worked with we had at least three employees named Stefan Müller. And which of them will get the smueller? Which ID will the others get?
Mapping is never fun to do if a non-ambiguous common denominator is missing.
So I agree: Export - manual cleanup and ECATT sounds promising too.
11-05-2015 10:56 AM
The versions for our ABAP systems is the following: 7.02 SP12, 7.30 SP07 and 7.30 SP08 and for those versiosn there is no BADI implementation in the SNC transaction.
I think that the screenshot you are sharing is for 7.40 system.
Can we map the users directly in the table USRACL?
11-05-2015 11:36 AM
Yes, you can update USRACL table but after you have done that you must run t-code SNC4 so make the USRACL entries canonical.
11-04-2015 5:02 PM
thanks for your anwsers,
As i am not an ABAPER i will ask a developer to create the BADI.
11-04-2015 10:01 PM
I am not logged on, but if I remember correctly you can use report RSUSR300 for such operations and there were some recent SAP notes for it to support import of files and variables and some processing corrections.
The search term should at least help you further on SMP and possible also google.
Cheers,
Julius
ps: when asking questions you should mention which release and SP level you are on.
11-04-2015 10:15 PM
Yes, that is a good option Julius. The LDAP connection needs to be created so that account attributes in AD user accounts like samAccountName can be used to construct the required SNC name. Then you will be sure that the case sensitivity is correct. I have seen many customers use this method successfully.
Thanks
Tim