cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP - External Authentication LDAP Password Validation

Former Member

on ‎01-23-2008 12:18 AM

0 Kudos

Hi,

I am really hoping that someone is able to help with this curly one.....

We have a requirement to simplify password management in all of our systems including SAP R/3 (46C). Currently SAP runs "normally" with its own userid/password database.

Our preference is to have SAP use its own userids, "groups" & security, but validate the password supplied at login with an extenal authenicator (eg LDAP) instead of against the internal database.

To us this means that we would do the following for each user:

1. Create logonid (eg "USER1") in AD with a password.

2. Create logonid (eg "USER1") in SAP with a password (no relation to the AD password)

So, when "USER1" logs into SAP/GUI, it would be ideal if SAP would confer with our LDAP to determine if the userid/password is valid for our domain & if so grant access to SAP according to the SAP definition for USER1.

My understanding of AD integration is that SAP/GUI will use the credentials of the user logged into the PC & pass this to SAP as an "authenticated" user. This would not suffice for us as we cannot ensure security of a PC (eg screen locking etc) and our users may need to access SAP from a PC they haven't logged into the domain on.

Is there a solution that suits our requiements??

Kind Regards

Simon

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎01-23-2008 5:03 AM
0 Kudos

Hi,

yes it is possible with Single Sign-On with Microsoft Lan Manager SSP (work with windows only)

Single Sign-On (SSO) is a secure method of logging on to the SAP system that simplifies the logon procedure without reducing security. When your system is configured for SSO, an authorized user who has logged on to the operating system can access the SAP system simply by selecting it in the SAP logon window or clicking the shortcut. No SAP system user name or password is necessary. SSO makes it significantly easier for you to manage SAP system users.

If you used windows 2000 or higher then you can also use Single Sign-On with Microsoft Kerberos SSP

for configuration look at installation document of SAP

regards,

kaushal

Show replies
Show replies
Former Member
‎01-23-2008 5:14 AM
0 Kudos

Hi Kaushal,

Thanks for taking the time to respond. Unfortunately SSO (as you describe) is exactly what we don't want. We want to have SAP ask for user/password, but to test the validity of the user/password combination against LDAP/AD at login time.

We cannot guarantee that our users will lock their screens and having a PC exposed that can automatically login to SAP without a challenge is unacceptable to our auditors. With SSO if my boss walks away from his PC, I can sneak up to it & launch SAP with his credentials (because they're coming unchecked from his Windows environment.......).

Regards(etc)

Simon

Former Member
‎01-23-2008 5:33 AM
0 Kudos

Hi,

SSO LDAP is working only in case of user who login into domain (OS),

user who used local login in OS , SSO is not worked sap ask for username password.

We cannot guarantee that our users will lock their screens and having a PC exposed that can automatically login to SAP without a challenge is unacceptable to our auditors. With SSO if my boss walks away from his PC, I can sneak up to it & launch SAP with his credentials (because they're coming unchecked from his Windows environment.......).

the above situation is definitely arise, in this case it is not possible to handle security, you have to train the end user regarding same and os user password must not be shared

regards,

kaushal

Ask a Question