Skip to Content

SSO with Active Directory user mapping

Hello all,

We want to implement SAP SSO 3.0 in our SAP landscape through Active Directory and Kerberos / SAPGUI and SAP Secure client. All our SAP servers are running on Unix.

We have a big number of users that have different user names in the AD and different in SAP. My understanding is that for the Kerberos token to be accepted from the SAP system, the usernames in AD and SAP must be identical. Is that correct?

What are my options for those users that have different names in AD and SAP? I read somewhere that we can use AD aliases for the users. However, the AD owners do not want to use aliases on AD and it is costly. Likewise, we would prefer not to have to manually change the users in SAP so that their username matches the one on AD. Are there any other options available for us?

Many thanks


Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    Dec 20, 2016 at 07:17 AM

    Hi Andreas,

    your AD usernames must not match with the SAP usernames. That is quite normal and often the case.

    If you use Kerberos you will always use the so called implicit UPN, which is ALWAYS in the form of sAMAccountName@<AD-Domain-FQDN>. You just need to map this information in the user master --> SNC name (field pname) the table USRACL using e. g. SU01. The system uses a function from the SNC library in order to convert this string into ASN.1 canonical name format. Once you have done that, you are fine for SAP GUI via Secure Login Client (SNC/Kerberos) as well as SAP Web AS via Browser (TLS/SPNego).

    Cheers, Carsten

    Add comment
    10|10000 characters needed characters exceeded