Using Active-Directory PW at SAP logon procedure

Similar Messages

• Client Certificate Mapping authentication using Active Directory across trusted forests

  Hi,
  We currently have a setup where the on-premises environment and the cloud environment are based on two separate forests linked by a 1-way trust, i.e., the exist in the on-premises AD and the 1-way trust allows them to use their
  credentials to login to a cloud domain joined server. This works fine with the Windows authentication.
  We are now looking at implementing a 2-Factor authentication using Certificate. The PKI infrastructure exists in the On-Premises Forest. The users are able to successfully login to on-premise servers configured with "AD CLient Certificate
  Mapping".
  However, we are unable to achieve the same functionality on the cloud domain joined servers. I would like to know
  1. Is this possible?
  2. If yes, what do we need to do to make this work.
  Just to clarify, we are able to authenticate using certificates by enabling anonymous authentication. However, we are unable to do the same after turning on "Client Certificate Mapping authentication using Active Directory"

  1. Yes!
  2. Before answering this I need to know if your are trying to perform a smart card logon on a desktop/console or if you just want to use certificate based authentication in an application like using a web application with client certificate requirements
  and mapping?
  /Hasain
  We will eventually need it for smartcard logon on to desktop/console. However, at present, I am trying to use this for certificate based authentication on a web application.
  To simulate the scenario, I setup up two separate forests and established a trust between them.
  I then setup a Windows PKI in one of the forests and issued a client certificate to a user.
  I then setup a web server in both the forests and configured them for anonymous authentication with Client SSL requirement configured.
  I setup a test ASP page to capture the Login Info on both the servers.
  With the client and the server in the same forest, I got the following results
  Login Info
  LOGON_USER: CORP\ASmith
  AUTH_USER: CORP\ASmith
  AUTH_TYPE: SSL/PCT
  With the client in the domain with the PKI and the server in the other Forest, I got the following response
  Login Info
  LOGON_USER:
  AUTH_USER:
  AUTH_TYPE: 
  I tried the configuration with the Anonymous Authentication turned off and the AD CLient Certificate mapping turned on.
  With the client and the server in the same forest, I am able to login to the default page. However, with the server in a trusted forest, I get the following error.
  401 - Unauthorized: Access is denied due to invalid credentials.
  You do not have permission to view this directory or page using the credentials that you supplied

• MS active Directory Configuration on SAP 4.7 and ECC6.0

  Hello
  Can anybody guide the steps required for MS Active Directory Configuration with SAP 4.7 on AIX and
  and ECC 6.0 also on AIX 5.3.
  Currently we are using many different applications on client landscape.
  The requirement is for implementing the Single Sign On for all the applications
  on the client landscape.

  Please check
  /people/andre.fischer/blog/2008/06/04/windows-server-2008--active-directory-certified-for-the-bc-ldap-usr-directory-interface-for-user-management
  In Case you also have EP then
  /people/wai-hon.lam/blog/2006/04/20/windows-integrated-authentication-via-kerberos-on-an-ldap-data-source
  Also check below for SSO
  Note 121178 - NT: Installation note for SSO Single Sign On
  Note 138498 - Single Sign-On Solutions

• LDAP Using Active Directory failed in BAM

  I tried to configure the LDAP Using Active Directory as described in the BAM installation guide 10.1.3.1.0.
  In appsetting, i gave the server name, username and password used by us. Then i restarted the active data cache and IIS. Then i tried to access the http:\\server\oraclebam. But it is throwing the following error. What shall i do.
  Exception Message The directory service is unavailable
  Stack Trace at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at
  System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_AdsObject() at
  System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne) at
  System.DirectoryServices.DirectorySearcher.FindOne() at
  Oracle.BAM.Common.Security.Ldap.LdapAuthenticationTicket.Authenticate(String strName, String strPassword) at
  Oracle.BAM.Common.Security.Authentication.LDAPAuthenticationModule.GetPrincipal(ICredentials oCredentials) at
  Oracle.BAM.Web.Authentication.WebAuthentication.Authenticate(ICredentials oCredentials) at
  Oracle.BAM.Web.Authentication.WebAuthentication.Authenticate() at Oracle.BAM.Web.WebPage.ProcessRequest(Page oPage, String
  strAssembly, String strApp, String strType, String strMethod, String strParam)
  Debugging Information The directory service is unavailable [ErrorSource="System.DirectoryServices"] Debugging information:
  System.Runtime.InteropServices.COMException (0x8007200F): The directory service is unavailable at
  System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at
  System.DirectoryServices.DirectoryEntry.get_AdsObject() at System.DirectoryServices.DirectorySearcher.FindAll(Boolean
  findMoreThanOne) at System.DirectoryServices.DirectorySearcher.FindOne() at
  Oracle.BAM.Common.Security.Ldap.LdapAuthenticationTicket.Authenticate(String strName, String strPassword) at
  Oracle.BAM.Common.Security.Authentication.LDAPAuthenticationModule.GetPrincipal(ICredentials oCredentials) at
  Oracle.BAM.Web.Authentication.WebAuthentication.Authenticate(ICredentials oCredentials) at
  Oracle.BAM.Web.Authentication.WebAuthentication.Authenticate() at Oracle.BAM.Web.WebPage.ProcessRequest(Page oPage, String
  strAssembly, String strApp, String strType, String strMethod, String strParam)

  Hi,
  We are also facing the issue stated in the first thread. We followed everything specified in the LDAP PDF under TechNotes and still not able to access the BAM console successfully.
  The error we get is pasted at the end of this post. The request doesn't even seem to reach our LDAP server (configured in a remote system).
  A couple of clarifications required:
  1. Does our windows logon need to be the same as BAM console logon?
  2. I do not know the LDAP setting for my actual windows logon. But i have retained my same usrId and have configured a user in LDAP with my own organization and other hierarchies. I have configured this userId with the complete hierarchy in BAM login management and have given admin access also to this user. Is this correct?
  An error occurred while processing your request
  Details...
  Exception Message The server is not operational
  Stack Trace at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_AdsObject() at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne) at System.DirectoryServices.DirectorySearcher.FindOne() at Oracle.BAM.Common.Security.Ldap.LdapAuthenticationTicket.Authenticate(String strName, String strPassword) at Oracle.BAM.Common.Security.Authentication.LDAPAuthenticationModule.GetPrincipal(ICredentials oCredentials) at Oracle.BAM.Web.Authentication.WebAuthentication.Authenticate(ICredentials oCredentials) at Oracle.BAM.Web.Authentication.WebAuthentication.Authenticate() at Oracle.BAM.Web.WebPage.ProcessRequest(Page oPage, String strAssembly, String strApp, String strType, String strMethod, String strParam) ...
  Debugging Information The server is not operational [ErrorSource="System.DirectoryServices"] Debugging information: System.Runtime.InteropServices.COMException (0x8007203A): The server is not operational at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_AdsObject() at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne) at System.DirectoryServices.DirectorySearcher.FindOne() at Oracle.BAM.Common.Security.Ldap.LdapAuthenticationTicket.Authenticate(String strName, String strPassword) at Oracle.BAM.Common.Security.Authentication.LDAPAuthenticationModule.GetPrincipal(ICredentials oCredentials) at Oracle.BAM.Web.Authentication.WebAuthentication.Authenticate(ICredentials oCredentials) at Oracle.BAM.Web.Authentication.WebAuthentication.Authenticate() at Oracle.BAM.Web.WebPage.ProcessRequest(Page oPage, String strAssembly, String strApp, String strType, String strMethod, String strParam) ...
  Assembly StartPage
  State Oracle.BAM.StartPage.StartUp
  Event Initialize
  Thanks,
  KM

• Connected to Domain but can't log in using Actived Directory Credentials

  Hey everyone.  I've been working on this issue for two weeks now, and I don't know what else to try.  I'm connected to my domain but cannot get my Macbooks to log in using Active Directory credenitals both through our wireless network, and hard wired with an ethernet cable.  The weird part about it is that it is not uniform all across our network.  This only happens to certain Macbooks and as of right now there doesn't seem to be a pattern.  I can say that it has happened to all new Macbook Pros that we have ordered lately though.
  We use Jamf to manage our Macs on our network, and ever since upgrading to a new version (9.01 and now 9.1) we have had this issue.  However I can't connect after manually adding the domain either, so for now it makes me think it is not a Jamf issue.  Has anyone dealt with this issue before, that might know of a fix?  Thanks!

  Hi Burnettb1,
  I have come across a similar issue as yours.  I have included the instructions that I use to bind the Mac at my institution.  In regards to wifi, I have not tried binding the Mac over wifi. Should you need to log in to a Mac with domain user credentials I would suggest to bind the Mac over ethernet.  Once you get to the:
  *Click on triangle to the left of Show Advanced Options to expand"
  portion of the instructions click on the Mappings tab and select the checkbox for creating a mobile account at login.  This will create a domain user profile on the machine that you can log into when not connected to the domain.
  Hope this helps.
  BIND iMac:
            Login into iMac using administrative credentials
            Open System Preferences
                      *Goto Users & Groups
                      *Click on lock in lower left-hand corner
                      *Use same password used to log into iMac
                      *Click on Login Options
    *Click on ‘Join...’ button right of "Network Account Server: "
                      *Click on ‘Open Directory Utility…’ button
                      *Click on lock in lower left-hand corner
                      *use same password used to log into iMac and click on Modify Configuration
                      *Double-click on Active Directory
    Active Directory Domain = domain
                                Computer ID = name of Mac
                      *Click on triangle to the left of Show Advanced Options to expand
                                *Click on Administrative tab
                                *Check  Prefer this domain server
  Type  domainserver_ipaddr -or- servername.domain in this field
                                *Click on ‘Bind…’ button
                                *When prompted for network administrator login
                                          username = [domain admin user]
                                          pwd = [domain user password]
                                *Click OK (Note: search path will be updating. Until completed the ‘OK’
  button will be greyed out
    *Click OK
    *Click lock to lock and close window
                      *Click lock to lock and close window
  BIND CHECK:
            *Search AD for added mac host - it should be there.
            Open Terminal app by either:
                      1)
                                *Press command+spacebar
                                *Type Terminal and select app
                      2)
                                *Click on desktop
                                *Press shift+command+A
                                *Goto Utilities folder located within Application folder (which you should
    be in) and open Terminal
            *Once Terminal is opened type in id [domain username] and press return key.  The output should be
  some some network account information
            *Close app by pressing command+Q and any other opened windows
            *Restart iMac
            *Log in

• Oracle 9i/10G DB authentication using Active Directory (with out OID)

  Hello All,
  We want to use a Single-Password authentication scheme using the Active
  Directory as the primary source for userId/Password.
  We don't want to use the Active Directory and OID bridge.
  As we have many databases and would like to configure all Databases to use Active
  Directory for Authentication. Our goal is to have single id/password across all
  the databases and any user should be able to login from any computer using their
  windows id/password, note that we don't want to use the OSAuthentication.
  We have read the documents provided by oracle for authentication using Active
  Directory, we were able to create Oracle Schema in Active Directory and were
  also able to register a DB with Active Directory and then created user as global
  user in Oracle Database and provided the DN of the user. When we tried
  authenticate with all this setup it comes back and says invalid ID/Password !!!
  And with 10G database we get the Oracle Error ORA-03113: end-of-file on communication channel !!
  Has any one tried or have information on Integrating Oracle to Auth against Active Directory?
  Envoirnment:
  Oracle DB Version: 9.2.0 and also tried on 10.0.1 with same results
  Operating System: Windows 2000/ Windows 2000 Server
  Constraint: We don't want to user OID ( as we don't have license for this
  product ! )

  I have a thread started similar to your request.
  OS Authenication on Windows
  Somewhere I read this. It works on Oracle 9i on Linux, but I have not tried it with Oracle 9i on Windows.
  SHOW PARAMETER OS_AUTHENT_PREFIX;
  SHOW PARAMETER REMOTE_OS_AUTHENT;
  CREATE USER OPS$SOMEUSER IDENTIFIED EXTERNALLY;
  GRANT CREATE SESSION TO OPS$SOMEUSER;
  For the username, I wonder if we are supposed to put the Windows Domain name as part of the username? Such as, for a Windows domain user MyDomain\SomeUser
  CREATE USER OPS$MYDOMAIN\SOMEUSER IDENTIFIED EXTERNALLY;
  I really wish Oracle or somebody created a guide or book on how to do this.

• How use Active X object in sap 2005A SP14

  How use Active X object in sap 2005A SP14 with usercontrol in vb.net
  or control in vb.net please show example code
  Thanks for advance

  Hi,
  I try to use this sample too (C# version) but it does not work properly.
  I got two different COMExeptions at line 75:
  fTree = SBO_Application.Forms.AddEx( CP );
  Message: Form - already exists.
  and at line 114:
  AcXTree.ClassID = "MSComctlLib.TreeCtrl.2";
  ErrorCode=-2147417851
  Ausnahme von HRESULT: 0x80010105 (RPC_E_SERVERFAULT)
  I don't know the reason - but i am searching...
  Edited by: David Kostenzer on Feb 20, 2008 4:48 PM

• Time Machine Backup using Active Directory account

  I have two macbook pros (running 10.6.4) using Active Directory accounts and I am trying to backup them up to an Active Directory integrated XServe (running 10.6.4) with a shared Time Machine backup point. I open Time Machine preferences, select the disk, entering username and password, and it starts trying to make the backup disk available. However, it quits and gives me the following error - the network backup disk could not be accessed because there was a problem with the network username and password. The username and password are correct. I have tried three different accounts and they all produce this error.

  This happened to an issue AFP. I had AFP authentication set to use Kerberos. I changed it to use "Any Method" and it is working properly.

• Portal Authentication using Active Directory

  I am trying to set up authentication using Active Directory. Can anyone provide me with instructions on what to do ? I know that I have to go to System Admin - > System Configuration - > UM configuration and change the Data Source. What else do I need to do...How do specify which domain to authenticate against. Do I have to change the XML file. Please help.

  It depends on what you wanna do with the AD server. If you want to read/write on the AD then you have to first setup SSL connection between the two boxes.Else if you just want to read from AD server you don't require a SSL connection. Then you have to select the hierarchy type in the System Admin - > System Configuration - > UM configuration. Save.
  Next thing you do is to open the config tool and modify your xml file accordingly.
  And restsart the server.
  Hope this helps.
  Regards,
  Hassan

• ThinkVantage Technology Deployment using Active Directory

  I am attempting to automate the deployment of Rescue and Recovery using Active Directory for about 50 laptops. So far, I've read through all of the Lenovo documentation for RnR deployments, none of which is useful. The deployment guide has broken links, the section "Corporate Active Directory Rollout" is incomplete, the command line options aren't clearly written, and the AD instructions end with 'then deply settings using a registry edit'.
  My goal is to configure the laptops to automatically backup to a network share once a week, in the background, without any user intervention. So far, almost everything that I've tried in my test environment has led to failure.
  First step, install the software. I can't deploy via Group Policy, as the installation doesn't seem to end up working. I did the administrative install to a network location, then published the program via AD. After the reboot, I'll click the RnR shortcut in the start menu, and nothing happens. I've also tried creating a batch file that runs rrcmd.exe to create a backup, but that fails too "Service not found". So I resort to installing manually.
  Next, I try to configure the network location via Group Policy and the supplied ADM file. I set the destination path for MND to \\server\%computername%\, but that fails, as MND tries to connect to a share called %computername% instead of what the system variable says. To get around this, I had to create an MND batch file that edits the MND info right before the backup, which doesn't seem to always work.
  Now, if mid-backup the user disconnects from the network, there is a series of Delayed Write errors. That's not acceptable.
  Also, if I set the backup location to local via GP, then change it to network, the backup command still reads "L", even after a reinstall of the software with the "local" location set to 0 in group policy.
  Are there any tips to help ease this deployment?
  Thank You

  I think I figured it out! You can do exactly what I was doing.
  The solution seemed to be I was missing:
  orcluserprincipalname=<ADUser>@<domain>
  orclsamaccountname=<name>
  objectclass=orclADUser
  You need at least the first and third one in order for it to work ( adding them is another story - you are on your own for that :-) ).
  FYI I found this in the document that I have been using all day (but I didn't pay close enough attention as I missed that part) Doc ID: Note:277382.1
  which can be found on metalink.

• SAP CRM 5.2 user authentication using active directory

  hi,
  we have a need to authenticate users logging in SAP CRM 5.2 based on active directory user name and password.
  scenario is such that users should be able to use their window's logon credentials for logging into SAP CRM 5.2
  any ideas or pointers will be appreciated
  thank you.

  RH,
  Actually you can do this, but you need a third party product like SECUDE, or other provider to accomplish this without using the portal.  I think even with the portal it still might require some type of plugin or work.
  You basically have to setup your CRM system to accept SAP logon tickets, and then the authenticating system needs to an issue an SAP Logon ticket.
  So yes it can be done, but requires more software than what is delivered with your SAP system. 
  Take care,
  Stephen

• Ms-Active Directory integration with SAP 4.7 SR2 through LDAP Connector

  Dear Gurus,
  Let me clarify the scenario:
  At our end, we are planning for SSO, we are integrating Microsoft ADS with SAP 4.7 IDES
  Following are the system details:
  SAP: IDES 4.7, on Windows 2000 Advance Server, Oracle 8.1.7.,Kernel-620
  MS-Active Directory: Windows 2003 Enterprise Edition, with Service Pack-1
  With the above mentioned landscape we have integrated
  LDAP-Connector on MS-Active Directory, on MS-Active Directory OS
  side we have tested the command (ldap_rfc –a LDAP_ADS –g
  ides.ho.com –x sapgw00) then we are testing it through an
  RFC in SAP 4.7(IDES), with result success.
  Everything is fine Im able to Log ON thru the User but when I try to search objects in LDAP(ie. ADS) thru "FIND", but getting Error message "operation Failed".
  Referred note 511141 for the error.
  Can't find anything more.
  Required help...
  Regards,
  SHAH

  Dear Juergen,
  As of we have applied the SP-level till 40.
  Through LDAP tcode we are able to Logon to the Directory server, and we
  are also able to search, through FIND,
  the system displays all entries below the specified base entry.
  After that we are trying to Synchronize it, using report RSLDAPSYNC_USER through SE38, but its showing following errors:
  Connection created to Server LDAP_ADS (successfully with Green)
  Operation Failed (Error with Red)
  Error message: LDAPRC001
  LDAP_SEARCH failed (Error with Red)
  Error message: LDAPACCESS101
  The System could not create directory objects pool (Error with Red)
  Error message: LDAPSYNC005
  Connection to LDAP_ADS server terminated
  As for first Error: Error message: LDAPRC001, we referred Note 511141,
  Response: "This error msg does not mean that the SAP System sent incorrect data".
  For Error message: LDAPACCESS101 and Error message: LDAPSYNC005, we refferred 696021 and 695026
  Response: to apply the correction change, as our SP level is above the requirement, we have
  level-40.
  Unable to get further, any solution/suggestion.
  Bye for now.
  Regards,
  Shaibaz

• MS Active Directory (LDAP) and SAP Integration

  Hi all!
  don't know if I'm right here in this forum, but:
  I'm using MS Windows Server 2003 and installed Active Directory as LDAP-System on the one hand side, on the other I'm using a 6.20 ABAP Web AS.
  I'd like to synchronize the User Storage on these two systems.
  Does anyone have experience in doing this? I'm facing a tricky exception in depth of my customizing too complex to explain right now. The problem concerns the mapping of LDAP-Fields and SAP-Fields.
  Thankx,
  Christoph

  Hi Christoph,
  This is the mySAP ERP forum. Perhaps you can post your question in the Web AS forum (SAP NetWeaver Application Server).
  For now: here is a link to a video regarding SAP Active Directory integration:
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/sap active directory integration,%20SSO%20and%20User%20Management%20Webinar.wrf
  I found it by searching on Active Directory here on sdn:
  https://www.sdn.sap.com/sdn/search.sdn?contenttype=url&content=/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fSDN!2fiViews!2fFramework!2fcom.sap.sdn.advsearch%3Fprttheme%3DCSIN%26QueryString=active%20directory%26searchDatasource=SDNContent
  Cheers,
  Noel

• Use of JCo destinations with SAP Logon Ticket

  I would have got a precision about the use of a connection pool in a JCo destination using the SAP Logon Ticket connectivity: do i have got the same functionality around the pool connection if i use the SAP logon ticket instead of a user/password inside a JCo destination defined in the web dynpro content administrator ?
  Thank in advance,
  Regards,
  Eric.

  Hello Eric,
  There is only one difference in ticket and user/password authentification method:
  By using a ticket
  <i>For SSO specify the user to be $MYSAPSSO2$ and pass the base64 encoded ticket as as the passwd parameter.
  </i>
  and for user/password you are passing user and password.
  So, there us no difference from connection pool management or behavior perspective.
  Best regards, Maksim Rashchynski.
  P.S.
  Link to JCo javadoc, it can be useful:
  http://media.sdn.sap.com/html/submitted_docs/60_sp2_javadocs/sapjco/com/sap/mw/jco/JCO.html

• Import Active Directory Data into SAP HR

  We are currently working on updating user data in Active directory from data stored in SAP HR via the LDAP Connector. This is working great! The question is what is required to make this happen the other way around. Ex  Employee email address is stored in AD and we want to update IT105 email address from Active directory.
  Thanks in Advance!
  Tariq Khan

  Hello Tariq,
  I am also trying to find out the way for flowing data from AD to SAP HCM IT0105.
  If you found the solution, it would be a great help if you could pls share the solution.
  Hoping for the favorable response.
  Thanks in advance.
  Best Regards,
  Tauseef