Hello, I was hoping someone could confirm the following SSO/AD integration config is possible before I really start digging into things.

Goal: When users click on a system in the SAPGUI, they get SSO'd into the system via Kerberos/SPNEGO. When users open an webpage that resides on the above system, they do NOT get SSO'd into the system and are prompted to enter the Active Directory credentials, not their SAP credentials.

So that's the overall goal. We are currently SSOing into our ABAP systems via Kerberos without issue. We are NOT using SAP Secure Logon Server. We are simply using the Secure Logon Client and configuration on the back-end to achieve SSO & AD integration via Kerberos.

On one of our systems, we are running a WebDynpro app that presents the user with sensitive information. Initially, we included this resource in the SPN of the AD service account, i.e. HTTP/hostname.domain.com. In doing so, when users accessed this resource from their browser, they would get SSO'd. The powers that be decided they did not like that and want users to have to logon to this web resource. So, we removed the SPN from the service account, thereby forcing a logon prompt to the webpage. However, in doing so, it is wanting the user's SAP credentials, not their AD credentials.

Is there a way to make it request the user's AD credentials instead of their SAP credentials, without using a Secure Logon Server?

Thanks,

Tom