Skip to Content
author's profile photo Former Member
Former Member

Password Replication Active Directory - ABAP Backend

Dear board,

my potential scenario looks like the following. There is a Single-Sign-On environment in place using Kerberos in the Windows world and for authentication at the SAP Enterprise Portal. As our application servers are on Unix, SPNego/SAP Logon Tickets are used further on for SSO to the backend systems.

For situations like administrative access using SAP Gui or Active Directory / Enterprise Portal downtime direct access to the SAP backend systems may be needed. As I do really mind setting up /managing users locally, I'm looking for a way to replicate the users password stored in the Active Directory to the ABAP user store for that case. Is there a way to do that?

Kind regards and many thanks,

R.

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

5 Answers

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Sep 11, 2007 at 10:12 AM

    Hi Tim,

    thanks again for your reply. The reason for seperated ADS is simply corporate policy and you are rigth, an ADS and EP portal landscape will not be setup with single instances only. Nevertheless I do see a drawwback in here.

    So, my additional questions to the board are:

    - I found documentation saying that UME can use several user stores for reading information, only one data source can be used for storing the data. Is this really true?

    - Is it possible to customize seperate login modules in the UME to authenticate users A with Kerberos and users B with Username and Password? How is the separation handled? I've seen remarks on SDN, that it is possible via seperate URLs for example

    Kind regards and many thanks,

    Richard

    Add a comment
    10|10000 characters needed characters exceeded

    • Richard,

      The ticket stack can be configured something like :

      EvaluateTicketLoginModule SUFFICIENT

      <your spnego login module> OPTIONAL

      CreateTicketLoginModule SUFFICIENT

      BasicPasswordLoginModule REQUISITE

      CreateTicketLoginModule OPTIONAL

      In above stack, normally items 1,2 and 3 will be used, but if item 2 fails to authenticate due to wrong host name being specified in browser, the login module in item 4 will be invoked and when this is successful an SSO2 ticket issued (item 5).

      I hope this helps you ?

      Thanks,

      Tim

  • Posted on Sep 10, 2007 at 05:44 PM

    Richard,

    You will find that Active Directory does not allow access to the users password which is used for Kerberos authentication, so you cannot obtain this to sync with an ABAP password. Any Kerberos server that has the ability for code to request the password for a user could be considered to be insecure. The Kerberos protocol uses symmetric key cryptography to authenticate a user instead of sending and comparing a password.

    Instead of syncing passwords, you need to use Kerberos authentication when accessing apps in ABAP engine via SAP GUI, SAP RFC etc. This requires the SNC interface provided by SAP and since your app servers are on UNIX you will need a third party certified SNC/Kerberos library. When implemented your user authentication via SAP GUI will be using Kerberos like you are using for your existing Web logon method. I represent a company that provides a product, which we have developed specifically to sell to SAP customers so that this need can be met.

    If you are interested, please email me using my email address in SDN business card, and/or feel free to check our website here.http://www.cybersafe.com/links/snc.htm">here.>

    Thanks,

    Tim

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Sep 11, 2007 at 07:16 AM

    Hi Tim,

    thanks for your reply. I'll check the site, but currently 3rd party software is not the preferred option.

    Did I understand you right? In my scenario outlined, any ADS and/or Portal downtime would lead to the inability to login to the SAP backend systems with the users maintained there. Correct?

    I do have an additional question regarding my scenario: In case I do have two independent AD structures in place, I have learned that it is possible to configure seperate login modules which check for authentication a) Kerberos for user group A against ADS I b) Username and Password for user group B against ADS II.

    - Is this possible and advisable?

    - Can I also adjust the Enterprise Portal to use independent data sources for different user classes? How could I do the differentiation?

    Any hints or links to documentation are highly appreaciated.

    Kind regards and many thanks,

    Richard

    Add a comment
    10|10000 characters needed characters exceeded

    • Richard,

      Unless I misunderstood what you were trying to do, I am afraid that in this scenario you have no other option. You need to use 3rd party software, or open source software which you would need to compile and support yourself.

      Normally, when ADS is deployed, there are multiple domain controllers, so that one can be used if another is not available. You would have to have a serious failure, e.g. many systems failing at same time for ADS to be unavailable.

      If you are using more than one ADS domain, then the domains need to have trust relationship with the domain the user at workstation uses when they logon.

      I am having hard time to understand why you want to have more than one ADS domain, when Kerberos cross realm trust can be used and avoid any complex configurations.

      Normally, the j2ee engine will be configured so that the ticket auth stack invokes the appropriate login modules, and this stack is used by many applications, including the portal. I am not sure if it is possible to configure SAP so that some users use one auth stack (e.g. a specific set of login modules) and another set of users to use another auth stack. In some cases it is possible to specify an auth stack which is different to ticket on a per application basis, but when a stack/login module is used for a particular app it is used for ALL users logging onto that application.

      I hope this helps.

      Thanks,

      Tim

  • author's profile photo Former Member
    Former Member
    Posted on Sep 11, 2007 at 12:19 PM

    Edit

    Message was edited by:

    Richard H.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Sep 11, 2007 at 12:21 PM

    Hi Tim,

    of course I do not mind you answering, thanks a lot. Highly appreciated! If it is not too large you may post the sample configuration in here.

    Many regards,

    Richard

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.