on 12-19-2016 2:20 PM
Hello all,
We want to implement SAP SSO 3.0 in our SAP landscape through Active Directory and Kerberos / SAPGUI and SAP Secure client. All our SAP servers are running on Unix.
We have a big number of users that have different user names in the AD and different in SAP. My understanding is that for the Kerberos token to be accepted from the SAP system, the usernames in AD and SAP must be identical. Is that correct?
What are my options for those users that have different names in AD and SAP? I read somewhere that we can use AD aliases for the users. However, the AD owners do not want to use aliases on AD and it is costly. Likewise, we would prefer not to have to manually change the users in SAP so that their username matches the one on AD. Are there any other options available for us?
Many thanks
Andreas
Hi Andreas,
your AD usernames must not match with the SAP usernames. That is quite normal and often the case.
If you use Kerberos you will always use the so called implicit UPN, which is ALWAYS in the form of sAMAccountName@<AD-Domain-FQDN>. You just need to map this information in the user master --> SNC name (field pname) the table USRACL using e. g. SU01. The system uses a function from the SNC library in order to convert this string into ASN.1 canonical name format. Once you have done that, you are fine for SAP GUI via Secure Login Client (SNC/Kerberos) as well as SAP Web AS via Browser (TLS/SPNego).
Cheers, Carsten
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
74 | |
26 | |
10 | |
10 | |
7 | |
6 | |
4 | |
4 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.