Questions on Multi forests scenario

Hi All,
One of our customer raised the below questions:
Environment
Forest A
Domain (Contoso.com)
User accounts
Exchange 2010 + UM role
Forest B
Domain (Fabrikom.com)
Lync 2013 server with EV enabled.
We have Two way Trust and FIM in place.
Questions
Is there any restrictions on functionality when setting up User\Exchange in one forest and Lync in another forest with a two way trust and FIM?
With the two way trust, can the permissions\access to resources and service in Forest A be restricted from Forest? and is this support in the aforementioned design ?
Please advise. Many Thanks.

Hi,
Base on my knowledge, it is the supported scenario to deploy User\Exchange and Lync Server in different forest.
you need to establish a two-way trust between the resource forest and user forests to enable distribution group expansion when groups from user forests are synchronized as contacts to the resource forest.
Best Regards,
Eason Huang
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Eason Huang
TechNet Community Support

Similar Messages

Question about MP affinity in a multi-forest scenario without AD publishing

I am looking at deploying an SCCM system that will feature multiple forests and the caveat of NOT being able to use any sort of AD publishing or schema extension. Knowing this, and that
clients will use the MP residing in their forest by default...
When AD publishing is not leveraged, will a client in a remote forest use the MP located within its forest?
If true, does this become a single point-of-failure when the client can't communicate with the MP in its forest?

AD publishing does not affect affinity at all. AD Publishing simply provides a "boot strap" location method where a client can find an MP if it has no knowledge of any MPs in the site. However, the choice of which MP to use is never based upon
this boot strap location from AD. Clients always query an MP to determine which MP to use (thus the need for the boot strap process otherwise you're stuck with chicken-egg).
Also remember that this is just "affinity" and thus not truly guaranteed although in nearly all cases that I've seen/sued this, it does follow the affinity pretty well.
Jason | http://blog.configmgrftw.com | @jasonsandys

Question with multi-mapping 1:n split scenario

Hi
 I have a scenario with the following requirement
R3 --> XI --> Multiple files
I used a multi-mapping scenario using message mapping. to get the following output
<ns0:Messages xmlns:ns0="http://sap.com/xi/XI/SplitAndMerge">
<ns0:Message1>
<Transaction> </Transaction>
<Transaction> </Transaction>
</ns0:Message1>
<ns0:Messages>
Each <Transaction> </Transaction> produces a file in runtime. So far so good.
Now, there was a new requirement to introduce a dtd line as the first line in each of the target files created - that looks like follows :
<!DOCTYPE Transaction PUBLIC \"-//XXXXX//DTD BatchReceiptAuthorization//EN\" \"http://dtd.XXXXX.com/dtds/ReceiptAuthorization.dtd\">
How do I go about introducing this header line above the <Transaction> node in each and every target file - that is created by multi-mapping ? This header line is not a part of the target schema and hence cannot be mapped to as an constant element in the target.
Any suggestions/ideas as to how this can be done ?

Hi Gautam
 I did use a java mapping , as a second step after the message mapping - so that the dtd line can be introduced as a header for each target message/file written by the muti-mapping in the first step.
 In my scenario, I sent the inputstream that is being passed to the Java execute method - to trace and I see that the whole of the xml file - as shown below - which is the output of message mapping ( from the first mapping step ) in sent to the execute method of the java mapping a single call
<ns0:Messages xmlns:ns0="http://sap.com/xi/XI/SplitAndMerge">
<ns0:Message1>
<Transaction> </Transaction>
<Transaction> </Transaction>
</ns0:Message1>
<ns0:Messages>
So, I modified Java mapping program to look for multiple occurences of <Transaction> tag and prefix them with my constant DTD Literal - which is the primary reason , why I had to use Java mappings after the message mapping.
Now, I get an error is XI- SXMB_MONI
- <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="">
<SAP:Category>XIServer</SAP:Category>
<SAP:Code area="MAPPING" />
<SAP:P1>unexpected symbol; expected '<'</', entity refe</SAP:P1>
<SAP:P2>rence, character data, CDATA section, processing i</SAP:P2>
<SAP:P3>0</SAP:P3>
<SAP:P4>113</SAP:P4>
<SAP:AdditionalText />
<SAP:ApplicationFaultMessage namespace="" />
<SAP:Stack>The exception occurred (program: CL_XMS_MAIN===================CP, include CL_XMS_MAIN===================CM00A, line: 609)</SAP:Stack>
<SAP:Retry>M</SAP:Retry>
</SAP:Error>
Can you help me out here ?

Auto-mapping of shared mailboxes in a resource forest scenario

In a resource forest scenario you assign full access to a shared mailbox using:
Add-MailboxPermission -Identity SharedMailbox -User AccountForestDomain\UserID -AccessRights FullAccess
This provides the user in the account forest full access, but it will NOT auto-map the shared mailbox in Outlook.
If you use the command:
Add-MailboxPermission -Identity SharedMailbox -User UserID -AccessRights FullAccess
and UserID is the disabled account of the linked mailbox in the resource forest then the user in the account forest does not have the necessary permission to
open the mailbox, but the auto-mapping of the mailbox in Outlook works.
You have to use both commands to have the auto-mapping feature and have access to the shared mailbox.
This looks like another issue of the auto-mapping feature. The intention of the feature is good, but the way it was implemented can be improved.
How do you configure full access to shared mailboxes in a resource forest scenario?

Hi J-H,
Because i don’t have such a lab environment, so I am unable to do a test.
Now let’s separate the issue.
1. The first issue is
[email protected]
unable to auto configure outlook profile.
I suggest you
changing the user’s attributes in the account forest, does it work?
2. The second issue is
[email protected] unable to open a shared mailbox in the resource
forest.
At first, I suggest you create a shared mailbox in resource forest with this command.
New-Mailbox -name
<name> -Database <Database name> -OrganizationalUnit Users –UserPrincipalName
<UPN value, example: [email protected]> -<ResourceType: Room, Equipment or Shared>
Managing
Resource Mailboxes in Exchange Server 2007 (Part 1)
Then test if you can log on the shared mailbox via outlook.
If yes, then grant full access right for
[email protected]
to [email protected]
Resource:
Shared mailbox
permission in resource forest with linked users
Manage Full Access Permissions
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Requirements for file to multi file scenario

Hi,
Please tell me what are the System Requirements(of XI System) for running of file to multi-file scenarios.
Also are there more requirements for some other similar scanarios.

refer this blog
/people/sravya.talanki2/blog/2005/08/16/configuring-generic-sender-file-cc-adapter
1. If u want to split the file coming from the sender, the u will have to use multi-mapping.
/people/jin.shin/blog/2006/02/07/multi-mapping-without-bpm--yes-it146s-possible
2. If u want to send the same file to all the receivers then it would be better to go for configuring multiple receivers in the same receiver determination step.
Questions are welcome here!!
Also mark helpful answers by rewarding points 
Thanks,
Abhishek Agrahari

VDI in multi forest

Hello everyone,
We have a situation with a Remote Desktop Services with virtual desktops where we are limited in our possibilities. We have a multi forest domain structure with trusts between the forests, some trusts are 2 way trusts, some trusts are 1 way trusts and some
forests have no trust at all.
We are trying to implement a RDS solution with virtual desktops, the servers are in domain 1 and the client VDI VM’s are in domain 2. Our question is in which trust configuration is this supported and is there any documentation?
Our consideration is that we are not flexible and we need a hardware cluster for every forest and it’s getting very expensive.
Thank in forward i hope to get a trustful answer.
Kind regards,
Jasper Sybrandy

Hi,
Sorry for late response. But seems there are no good document regarding your case, but you can refer beneath article.
Test Lab Guide: Virtual Desktop Infrastructure Quick Start
https://technet.microsoft.com/en-in/library/hh831585.aspx
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Few questions on EB-SUS scenario?

Dear Experts,
I have few questions on EB-SUS scenario which you may help with your expertise. It will be helpful for those who are new to scenario?
1. EB (enterpise Buyer or SRM) -SUS scenario is used for requesting external staff? can it be used for non stock or free text items in extended classic? does it support direct material procurement ?
2. Does EB-SUS or SRM-sus support service item with hierarchy like MM-SUS?
3. EB-SUS scenario is basically on extended classic or standalone scenario? But, in extended classic scenario, it does support only Purchase order and PO response scenario? What badi's or customization is required to enable the confirmation and invoice for extended scenarios?
Full marks for good answers !!!
Thanks and regards,
Ranjan

Hi,
I am also interested in this question with another view of it:
- Can SUS be used together with SRM (EB) for consumables in standalone scenario?
- What are your experiences with SUS in general. I foresee that we would need some add-on development to the solution, is this easily done or does it take a lot of effort?
Thanks for any good input
Fredrik

Question on Untrusted Forest and Roles Required.

Hi, i need some help understanding untrusted forests and system roles.
All my untrusted forests are well connected to each other; they are all in the same data-center for that matter.
Is at least 1 site system role (MP?) required in an untrusted forest to manage those clients in each untrusted forest from the Pri?
I read this blog here,
http://blog.coretech.dk/kea/multi-forest-support-in-configmgr-2012-part-i-managing-clients-in-an-untrusted-forest/
But one of the readers posted at the bottom of the blog that is it not supported referencing technet.

More info:
Cross Forest Support in ConfigMgr 2012 Part 2: Forest Discovery, Publishing, and Client Push Installation
http://blogs.technet.com/b/neilp/archive/2012/08/21/cross-forest-support-in-configmgr-2012-part-2-forest-discovery-publishing-and-client-push-installation.aspx
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Multi-Forest LDAP Authentication

Hi Guys
We are trying to implement authentication and import across multiple domains
We originally tried to build our own custom code but this has failed due to some unforseen errors.
I have revert back to the inbuilt ciac option for import person and EUA
The import for one domain is working however, i wish use multiple forests and to add a unique identifier to the login name to avoid login name clashes
for example
ASE\#sAMAccountName#
or
#userPrincipalName#
When i try to add this i receive the error that no person fround in the result of the LDAP getperson search
I have tried the format for EUA as
uid=#LoginId#,dc=ase,dc=internal
DomainName\#LoginId#
#LoginId#
Any help will be greatly apreciated
Regards,
Matt

If you are logging into java (i.e. tomcat55) and have set up a krb5.ini. All users that are not in the default domain need to logon with username @FQDN.COM where FQDN.COM is their fully qualified domain name in all caps. That FQDN.COM should be entered in the krb5.ini (in all caps) with at least 1 KDC defined.
Do a search on SMP (look at the forum sticky for the link) for rules for krb5.ini and I have a more in depth explanation for multi forest and multi domain as it pertains to the krb5.ini.
To verify AD connectivity is ok use a client tool like deski/designer/business views. Since there tools don't use java you can logon with domain\user (no case sensitivity).
Also to note urgently issues should open cases with support the forums are not the place and it is against the rules of engagement (also in the sticky post )
Regards,
Tim

FSCM in Multi System Scenario

Hi,
We are doing the ALE configurations for Multi System Scenario and found
that during testing Dispute case creation is not happening in the
Dispute Case Processing System but happening only in Accounts
Receivable system.
Here is the brief of what we had done so far:-
In Financial Accounting System(System - ID6 - R/3 4.7) - We had done
basic FI, CO configurations. Also we had done the steps of Creation of
Logical System, RFC Destination for BAPI Calls, RFC Destination for
dialog calls, created Distribution Model and distributed to Dispute
Case processing system. Also Partner profile created and Outbound
Message Type SYNCH assigned. We had tried to activate business objects
in outbox for the object type BUS2022. But the when checking the
Consistency Check - Serialization using object type, the same is shown
as Inactive.
In Dispute Case Processing System(EC6 - ECC 6.0) - We had created
Logical System, checked the availability of Distribution model,
activated business objects in inbound for object type BUS2022. Here we
are having an error in consistency check - Serialization using object
type - that No partner destination found.
Please help us in resolving the same and let me know if you need more
information.
Regards
Hari

Mark, Thanks for your reply.
Can you brief how this works?
I have company code set up in FA system. The customers in FI are called Business Partners in FSCM
This company code is not there in ECC 6.0 system which is FSCM system.
Now, how will the customers in R/3 system will be created as Business Partner in FSCM system?
Regards
Hari

Question regarding multi processes in ABAP

Hi
We have written a ATC / Checkman Check Implementation.
As we know the ATC / Checkman framework checks objects in object bundle of 50.
Inside the check implementation we have to make a remote HTTP Call. That will be valid for all n instances.
So the number n is determined by total number of objects / 50.
Question
In this multithreaded scenario how can we introduce a static variable which will be thread safe (making sure no two parallel threads write to this at a same time)
Any suggestions / help.
If you need more context i can explain more.
Thanks & Regards,
Piyush

This could be answered in general thread concept in ABAP.
As if we have to avoid parallel writes on a static variable how to do that?

Multi System scenario in FSCM

Hi,
We are implementing FSCM with multi system scenario so could any one breif me how to set up the connection between Dispute management and R/3. We are using ECC6.0 for FSCM and 4.7 for R/3.
Could any one clarify me on below points.
1. How to set up RFCs in between ECC6.0 and R/3. I have maintained RFC in R/3 as well as FSCM but not able to establish communication/create disputes .
2. What other set up needs to be done to enable the communication between two systems.
3. Actually how we will create disputes in multi system scenario?
Would be great if you clarify me on above points.
Thanks in advance,
Sunil

Hi,
Pls see the below link.
http://help.sap.com/saphelp_sm32/helpdata/EN/b3/dd773dd1210968e10000000a114084/content.htm
Anil

RFC to multi file scenario

Hi,
I have to carry out a RFC to multi-file scenario. The requirement is that Error generating on whatever part XI will handle have to be reported. Is this possible in this scenario? What can be the mechanism?
I want to report these errors via a mail to an e-mail id.
Since i haven't done this scenario, i would appreciate if some link for carrying this out step-by-step is given.Also tell me what configuration for receiving RFC has to be done on XI and R/3.

Hi Arpit
go through these blogs for the querry
For email alerts
/people/aravindh.prasanna/blog/2005/12/24/configuring-scenario-specific-e-mail-alerts-in-xi-ccms-part-2
/people/aravindh.prasanna/blog/2006/02/20/configuring-scenario-specific-e-mail-alerts-in-xi-ccms-part-3
/people/sap.user72/blog/2005/01/14/alert-management--improving-monitoring-of-your-landscape
/people/michal.krawczyk2/blog/2005/09/09/xi-alerts--step-by-step
You have to do SMTP Configuration for EMail and SMS.....
http://help.sap.com/saphelp_nw04/helpdata/en/af/73563c1e734f0fe10000000a114084/content.htm
Thanks !!

SQL 2008 Trigger to handle multi rows scenario

I have created below trigger to start logging the company changes from the table1 into another audit table. It works fine with single row but crashing with identical change with multiple rows. Can you please help me to update the trigger to handle multi-row
scenario. Thanks.
GO
IF
NOT EXISTS
(SELECT
* FROM sys.objects
WHERE object_id
= OBJECT_ID(N'[dbo].[Company_AuditPeriod]')
AND type
in (N'U'))
CREATE
TABLE [dbo].[Company_AuditPeriod](
 [Client] [varchar](25)
NOT NULL,
 [Period] [varchar](25),
 [Table_Name] [varchar](25),
 [Field_Name] [varchar](25),
 [Old_Value] [varchar](25),
 [New_Value] [varchar](25),
 [User_ID] [varchar](25)
 [Last_Update] [datetime],
 [agrtid] [bigint]
IDENTITY(1,1)
NOT NULL,
ON [PRIMARY]
GO
--create trigger
SET
QUOTED_IDENTIFIER ON
GO
CREATE
TRIGGER [dbo].[Table1_Update]
ON [dbo].[Table1]
FOR
UPDATE
NOT
FOR REPLICATION
AS
BEGIN
DECLARE
 @status
varchar(3),
 @user_id
varchar(25),
 @period
varchar(25),
 @client
varchar(25),
 @last_update
datetime
DECLARE
 @Old_status
varchar(3),
 @Old_user_id
varchar(25),
 @Old_period
varchar(25),
 @Old_client
varchar(25)
SELECT
 @status
= status,
 @user_id
= user_id,
 @period
= period,
 @client
= client,
 @last_update
= last_update
FROM Inserted
SELECT
 @Old_status
= status,
 @Old_user_id
= user_id,
 @Old_period
= period,
 @Old_client
= client
FROM Deleted
If @Old_status <> @status
INSERT INTO Company_AuditPeriod
VALUES ( @client, @period,
'Table1',
'period',@old_status, @status, @user_id, @last_update)
END
GO

Sorry for the confusion.
I just made sure the table name is same in sys.objects statement and create table statement (there was a typo)
IF
NOT EXISTS
(SELECT
* FROM sys.objects
WHERE object_id
= OBJECT_ID(N'[dbo].[Company_AuditPeriod]')
AND type
in (N'U'))
CREATE
TABLE [dbo].[ Company_AuditPeriod](
Earlier you created Trigger on Company_AuditPeriod but
We have to create trigger on Table1 please with multi row scenario. Thanks.
--Company_AuditPeriod DDL
GO
IF
NOT EXISTS
(SELECT
* FROM sys.objects
WHERE object_id
= OBJECT_ID(N'[dbo].[Company_AuditPeriod]')
AND type
in (N'U'))
CREATE
TABLE [dbo].[ Company_AuditPeriod](
 [Client] [varchar](25)
NOT NULL,
 [Period] [varchar](25),
 [Table_Name] [varchar](25),
 [Field_Name] [varchar](25),
 [Old_Value] [varchar](25),
 [New_Value] [varchar](25),
 [User_ID] [varchar](25)
 [Last_Update] [datetime],
 [agrtid] [bigint]
IDENTITY(1,1)
NOT NULL,
ON [PRIMARY]
GO
--Table1 DDL
CREATE TABLE [dbo].[Table1](
[bflag] [int] NOT NULL,
[client] [varchar](25) NOT NULL,
[copies] [int] NOT NULL,
[cost_bio] [decimal](28, 8) NOT NULL,
[cost_cpu] [decimal](28, 8) NOT NULL,
[cost_dio] [decimal](28, 8) NOT NULL,
[date_ended] [datetime] NOT NULL,
[date_started] [datetime] NOT NULL,
[description] [varchar](255) NOT NULL,
[expire_days] [int] NOT NULL,
[func_arg] [varchar](255) NOT NULL,
[func_id] [int] NOT NULL,
[ing_status] [int] NOT NULL,
[invoke_time] [datetime] NOT NULL,
[last_update] [datetime] NOT NULL,
[mail_flag] [tinyint] NOT NULL,
[me_mail_flag] [tinyint] NOT NULL,
[module] [char](3) NOT NULL,
[order_date] [datetime] NOT NULL,
[orderno] [int] NOT NULL,
[output_id] [int] NOT NULL,
[poll_status] [char](1) NOT NULL,
[printer] [char](16) NOT NULL,
[priority] [char](1) NOT NULL,
[priority_no] [int] NOT NULL,
[process_id] [int] NOT NULL,
[report_cols] [int] NOT NULL,
[report_id] [varchar](255) NOT NULL,
[report_name] [varchar](25) NOT NULL,
[report_type] [char](1) NOT NULL,
[server_queue] [char](12) NOT NULL,
[status] [char](1) NOT NULL,
[step_id] [char](8) NOT NULL,
[system_name] [char](8) NOT NULL,
[used_bio] [int] NOT NULL,
[used_cpu] [int] NOT NULL,
[used_dio] [int] NOT NULL,
[user_id] [varchar](25) NOT NULL,
[variant] [int] NOT NULL,
[agrtid] [bigint] IDENTITY(1,1) NOT FOR REPLICATION NOT NULL,
CONSTRAINT [PK_acrrepord001] PRIMARY KEY NONCLUSTERED
[agrtid] ASC
)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON, FILLFACTOR = 90) ON [INDEX]
) ON [PRIMARY]
G0<o:p></o:p>
--create trigger
SET
QUOTED_IDENTIFIER ON
GO
CREATE
TRIGGER [dbo].[Table1_Update]
ON [dbo].[Table1]
FOR
UPDATE
NOT
FOR REPLICATION
AS
BEGIN
DECLARE
 @status
varchar(3),
 @user_id
varchar(25),
 @period
varchar(25),
 @client
varchar(25),
 @last_update
datetime
DECLARE
 @Old_status
varchar(3),
 @Old_user_id
varchar(25),
 @Old_period
varchar(25),
 @Old_client
varchar(25)
SELECT
 @status
= status,
 @user_id
= user_id,
 @period
= period,
 @client
= client,
 @last_update
= last_update
FROM Inserted
SELECT
 @Old_status
= status,
 @Old_user_id
= user_id,
 @Old_period
= period,
 @Old_client
= client
FROM Deleted
If @Old_status <> @status
INSERT INTO Company_AuditPeriod
VALUES ( @client, @period,
'Table1',
'period',@old_status, @status, @user_id, @last_update)
END
go

SPNego for multi-forest using IBM JDK

Hi All,
I need to setup SPNego authentication for EP7 and IBM JDK for a multi-forest landscape (2 Active directory domains). There's a guide about how to do this for Sun JDK : https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/c771c3d3-0c01-0010-b5b6-86755a2cf778 but I need one for IBM JDK as the login stack mudules are different.
Can anyone supply me with a guide or any helpful information regarding this ? Do you know if it works? I've currently got SPNego working for a single domain.
Thanks in Advance,
Anthony

Jan,
ok, thanks. I will now explain how I think we can help.
Firstly, to be sure you understand - I represent a SAP partner company known as CyberSafe, and we have a product which uses SPNEGO for Kerberos authentication in a browser environment, so my answer relates mainly to our product functionality, and not related to the SAP login module, which has less functionality.
I must also apologise in case anybody reading this thread has an issue with me discussing non-SAP software. My view is that the most important thing on this forum is to help you (the SAP customer) get a solution that meets your needs, and if this involves SAP Partner products as well as SAP products, then that is acceptable.
Firstly, our product does not use the Java implementation of Kerberos. Instead, we use a JNI (Java Native Interface) so that our host based Kerberos library can be used to implement the protocol. This means that any differences between IBM, SUN or any other vendor JDK version related to Kerberos functionality, multi-domain support etc. are not relavent to our product. We support many things in our product which are not supported in Java implementations of Kerberos, so you don't need to wait for new versions of JDK to take advantage.
Secondly, and perhaps more relavent to this discussion is that our login module authenticates the user by decrypting the service ticket received using the key in the Key Table File on the host, and then we map this principal name onto a SAP user id. We then (via. the login module stack) cause the SAP system to issue an SSO2 logon ticket for this user id. The secret is the way we perform the mapping - we are not dependant on UME datasources for this, and I will describe below how we acheive mapping by using an example :
Lets suppose a user is authenticated as user.name@DOMAIN1, the SAP system login module has been setup using domain 2 (Realm = DOMAIN2) and trusted via a key in a key table file, with principal name of HTTP/hostname@DOMAIN2. Then, using normal Kerberos cross realm trust, and cross realm TGTs the browser requests a ticket from AD for HTTP/hostname@DOMAIN2, and this is issued by AD in domain 2 using the cross realm TGT, but the principal name of the authenticated user inside this service ticket is user.name@DOMAIN1. The login module on the SAP server can decrypt the ticket it receives to find the users Kerberos principal name.
So, the login module knows the user is user.name@DOMAIN1, it then has to decide how to determine the SAP user id. Our login module currently supports two different methods of performing this mapping, but we are adding more methods in each release to make the product even more flexible. Currently we support the following methods :
1. Simple mapping - this is where we remove the realm name and convert the principal name to upper case, so in this example user.name@DOMAIN1 would be mapped to a SAP userid of USER.NAME and used to issue an SSO2 ticket. Clearly this is only suitable for single domains, and makes administration very easy - many of our customers use this method, but you would need a different mapping method due to yoru multiple domains.
2. USRACL mapping - Since we also sell an SNC product for SAP GUI SSO, our customers already maintain mapping of Kerberos principal name to SAP user id using a table in ABAP engine called USRACL. This table is maintained using SU01 transaction. We now have support in our login module to read the USRACL table using the authenticated Kerberos principal name of the user (e.g. user.name@DOMAIN1) and find the required SAP user id, so that an SSO2 logon ticket can be issued.
I hope this helps you understand. If you are interested in more detail about our product, and how we might be able to help you, please feel free to contact me offline instead of via this forum.
Thanks,
Tim

Questions on Multi forests scenario

Similar Messages

Maybe you are looking for