11-17-2009 12:23 PM
Hi all,
I am having a little problem with this, we change the passwords of the SAP users from Portal and other systems.
I need to prevent the user from changing his password directly from SAP because if the user change it, the password last change date is different than the one in the global system and the policies aren't fulfilled, the user will be able to login to SAP through Saplogon and his password could be expired in the global system.
Is there any way to configure SAP to prevent the users from changing their password?
I check the RZ10 attributes but it seems that there isn't any one that fill with this.
Thanks in advance!!
Regards,
Nicolás.-
11-17-2009 12:42 PM
Hi Nicolas,
Service Users cannot change there passwords, only administrator can change the password for service users.
All other things are same in both dialog as well as service users.
So while creating users you can enter the user type as 'Service' instead of 'Dialog' and save. You can also edit the existing dialog users.
Do revert back in case of any issues.
Regards
Rasheed
11-17-2009 12:42 PM
Hi Nicolas,
Service Users cannot change there passwords, only administrator can change the password for service users.
All other things are same in both dialog as well as service users.
So while creating users you can enter the user type as 'Service' instead of 'Dialog' and save. You can also edit the existing dialog users.
Do revert back in case of any issues.
Regards
Rasheed
11-17-2009 12:48 PM
> So while creating users you can enter the user type as 'Service' instead of 'Dialog' and save. You can also edit the existing dialog users.
That will have license implications as well as technical ones, so I would be very carefull of this potentially very bad advise...
I suspect that SAP Logon Tickets are being used here... The ticket issuing system cannot by design issue a SAP Logon Ticket to a requesting user of type SERVICE. So making this change could create a VERY BIG MESS !!!
Cheers,
Julius
11-17-2009 12:54 PM
Hi Rasheed,
We have a lot of users, can the service users be used like dialog? Is there any license problem or something like that?
Julius:
Global system means Active directory and some applications that create and update users in there.
If I delete the passwords, the users wont be able to login through saplogon, right?
I want to prevent the password change in SAP because i change the password through an external application that updates it in AD and SAP.
Thanks and regards,
Nicolás.-
11-17-2009 1:05 PM
> If I delete the passwords, the users wont be able to login through saplogon, right?
Yes they can with SSO, but not with a synchronized password (which is the real problem here...).
> I want to prevent the password change in SAP because i change the password through an external application that updates it in AD and SAP.
You can train them, but you cannot dictate to them that they should not change their private password, or prevent them from the ability to change an initial password which the admin set.
I think the way this setup is designed is the root cause of the problem here...
=> If you have this requirement, then go for a real SSO and delete the backend password.
Cheers,
Julius
11-17-2009 1:19 PM
Julius,
First, thank you very much.
I think that i didn't explain it very well.
We have 2 types of users, there are some users that login through SSO with SAP Logon tickets, and there are some users that login directly through Saplogon with user id and password.
All the users are mantained with the same application, so if the user is the one that login directly to the backend (Saplogon) the password must be mantained in the AD as well, because there are some other applications (Non SAP) that this user can access, and he must login to these applications through Portal (with SSO)
So, we need to mantain all the users and their passwords in the same data source (AD), otherwise the user will have one password per application.
Regards,
Nicolás.-
11-17-2009 1:28 PM
Nicolas,
if you use an SNC library with SAP Logon / SAP GUI, that uses Kerberos (the cryptographic protocol used to authenticate users to Active Directory) then your users will no longer be different - the SAP passwords can be deactivated and users can logon using SAP logon tickets and SPNEGO when logging onto portal and using SNC with SAP GUI when logging onto ABAP systems. The only password the user will need is their password entered on workstation when they logon to the AD domain - everything else will be handled using Kerberos tickets.
Thanks,
Tim
11-17-2009 1:39 PM
Thanks Tim,
I have another question, if the user doesn't use the same AD for the computer domain than the system?
Because there are users that aren't from the same company. I am pretty sure that the workstation domain isn't mantained in our AD.
Regards,
Nicolás.-
11-17-2009 1:44 PM
Nicolas,
Yes, I am familiar with that problem since many of our customers that I work with have same requirement as you. Perhaps you can visit [this site|http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokersecureclient] and watch the webinar recording, where you will see a demonstration of this functionality.
Thanks,
Tim
11-17-2009 12:45 PM
What is "the global system"?
If the user should not change their password and should not be using that managed system's local password either, then the 1st and the best option is to delete the password whenever they logon using the alternate authentication method offered by the "global system".
You can also configure it to a large extent via the login/password_change_for_SSO and login/password_max_idle_* parameters.
Cheers,
Julius
11-20-2009 4:07 PM
>
> Is there any way to configure SAP (ABAP system) to prevent the users from changing their password?
> I check the RZ10 attributes but it seems that there isn't any one that fill with this.
Short answer: no, that's not possible.
The password is considered as "shared secret between one single user and one single system".
The user should not disclose his password to other users. And it's also not considered advisable to use the same credentials for many different systems (especially if they are of different types, e.g. test systems, demo systems and productive systems).
If Single SignOn is desired, it should not be accomplished by "password synchronization" (which anyway [will not work reliably|https://service.sap.com/sap/support/notes/376856]). Instead, a proper SSO solution should be applied.
07-06-2010 3:28 PM
07-06-2010 3:28 PM