Skip to Content
0

SSO with Active Directory user mapping

Dec 19, 2016 at 02:20 PM

293

avatar image

Hello all,

We want to implement SAP SSO 3.0 in our SAP landscape through Active Directory and Kerberos / SAPGUI and SAP Secure client. All our SAP servers are running on Unix.

We have a big number of users that have different user names in the AD and different in SAP. My understanding is that for the Kerberos token to be accepted from the SAP system, the usernames in AD and SAP must be identical. Is that correct?

What are my options for those users that have different names in AD and SAP? I read somewhere that we can use AD aliases for the users. However, the AD owners do not want to use aliases on AD and it is costly. Likewise, we would prefer not to have to manually change the users in SAP so that their username matches the one on AD. Are there any other options available for us?

Many thanks

Andreas

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Best Answer
Carsten Olt Dec 20, 2016 at 07:17 AM
1

Hi Andreas,

your AD usernames must not match with the SAP usernames. That is quite normal and often the case.

If you use Kerberos you will always use the so called implicit UPN, which is ALWAYS in the form of sAMAccountName@<AD-Domain-FQDN>. You just need to map this information in the user master --> SNC name (field pname) the table USRACL using e. g. SU01. The system uses a function from the SNC library in order to convert this string into ASN.1 canonical name format. Once you have done that, you are fine for SAP GUI via Secure Login Client (SNC/Kerberos) as well as SAP Web AS via Browser (TLS/SPNego).

Cheers, Carsten

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hello Carsten,

Thank you very much for this, it was exactly what I wanted.

Regards

Andreas

0