Solved: Password change - User shouldn't be able to change...

Former Member · ‎11-17-2009

Hi all,

I am having a little problem with this, we change the passwords of the SAP users from Portal and other systems.

I need to prevent the user from changing his password directly from SAP because if the user change it, the password last change date is different than the one in the global system and the policies aren't fulfilled, the user will be able to login to SAP through Saplogon and his password could be expired in the global system.

Is there any way to configure SAP to prevent the users from changing their password?

I check the RZ10 attributes but it seems that there isn't any one that fill with this.

Thanks in advance!!

Regards,

Nicolás.-

Former Member · ‎11-17-2009

Hi Nicolas,

Service Users cannot change there passwords, only administrator can change the password for service users.

All other things are same in both dialog as well as service users.

So while creating users you can enter the user type as 'Service' instead of 'Dialog' and save. You can also edit the existing dialog users.

Do revert back in case of any issues.

Regards

Rasheed

Former Member · ‎11-17-2009

Hi Nicolas,

Service Users cannot change there passwords, only administrator can change the password for service users.

All other things are same in both dialog as well as service users.

So while creating users you can enter the user type as 'Service' instead of 'Dialog' and save. You can also edit the existing dialog users.

Do revert back in case of any issues.

Regards

Rasheed

Former Member · ‎11-17-2009

> So while creating users you can enter the user type as 'Service' instead of 'Dialog' and save. You can also edit the existing dialog users.

That will have license implications as well as technical ones, so I would be very carefull of this potentially very bad advise...

I suspect that SAP Logon Tickets are being used here... The ticket issuing system cannot by design issue a SAP Logon Ticket to a requesting user of type SERVICE. So making this change could create a VERY BIG MESS !!!

Cheers,

Julius

Former Member · ‎11-17-2009

Hi Rasheed,

We have a lot of users, can the service users be used like dialog? Is there any license problem or something like that?

Julius:

Global system means Active directory and some applications that create and update users in there.

If I delete the passwords, the users wont be able to login through saplogon, right?

I want to prevent the password change in SAP because i change the password through an external application that updates it in AD and SAP.

Thanks and regards,

Nicolás.-

Former Member · ‎11-17-2009

> If I delete the passwords, the users wont be able to login through saplogon, right?

Yes they can with SSO, but not with a synchronized password (which is the real problem here...).

> I want to prevent the password change in SAP because i change the password through an external application that updates it in AD and SAP.

You can train them, but you cannot dictate to them that they should not change their private password, or prevent them from the ability to change an initial password which the admin set.

I think the way this setup is designed is the root cause of the problem here...

=> If you have this requirement, then go for a real SSO and delete the backend password.

Cheers,

Julius

Former Member · ‎11-17-2009

Julius,

First, thank you very much.

I think that i didn't explain it very well.

We have 2 types of users, there are some users that login through SSO with SAP Logon tickets, and there are some users that login directly through Saplogon with user id and password.

All the users are mantained with the same application, so if the user is the one that login directly to the backend (Saplogon) the password must be mantained in the AD as well, because there are some other applications (Non SAP) that this user can access, and he must login to these applications through Portal (with SSO)

So, we need to mantain all the users and their passwords in the same data source (AD), otherwise the user will have one password per application.

Regards,

Nicolás.-

tim_alsop · ‎11-17-2009

Nicolas,

if you use an SNC library with SAP Logon / SAP GUI, that uses Kerberos (the cryptographic protocol used to authenticate users to Active Directory) then your users will no longer be different - the SAP passwords can be deactivated and users can logon using SAP logon tickets and SPNEGO when logging onto portal and using SNC with SAP GUI when logging onto ABAP systems. The only password the user will need is their password entered on workstation when they logon to the AD domain - everything else will be handled using Kerberos tickets.

Thanks,

Tim

Former Member · ‎11-17-2009

Thanks Tim,

I have another question, if the user doesn't use the same AD for the computer domain than the system?

Because there are users that aren't from the same company. I am pretty sure that the workstation domain isn't mantained in our AD.

Regards,

Nicolás.-

tim_alsop · ‎11-17-2009

Nicolas,

Yes, I am familiar with that problem since many of our customers that I work with have same requirement as you. Perhaps you can visit [this site|http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokersecureclient] and watch the webinar recording, where you will see a demonstration of this functionality.

Thanks,

Tim

Former Member · ‎11-17-2009

What is "the global system"?

If the user should not change their password and should not be using that managed system's local password either, then the 1st and the best option is to delete the password whenever they logon using the alternate authentication method offered by the "global system".

You can also configure it to a large extent via the login/password_change_for_SSO and login/password_max_idle_* parameters.

Cheers,

Julius

WolfgangJanzen · ‎11-20-2009

>


> Is there any way to configure SAP (ABAP system) to prevent the users from changing their password?
> I check the RZ10 attributes but it seems that there isn't any one that fill with this.

Short answer: no, that's not possible.

The password is considered as "shared secret between one single user and one single system".

The user should not disclose his password to other users. And it's also not considered advisable to use the same credentials for many different systems (especially if they are of different types, e.g. test systems, demo systems and productive systems).

If Single SignOn is desired, it should not be accomplished by "password synchronization" (which anyway [will not work reliably|https://service.sap.com/sap/support/notes/376856]). Instead, a proper SSO solution should be applied.

Former Member · ‎07-06-2010

SSO is the best way to mantain the users passwords

Former Member · ‎07-06-2010

SSO is the best way to mantain the users passwords

Password change - User shouldn't be able to change his password