SAP HCM/Active Directory synchronization

Similar Messages

• Active Directory synchronization working, authentication not on CUBM BE5000 8.6(1a)

  I successfully set up Active Directory synchronization between my CUCM BE5000 appliance running 8.6(1a) and our Windows 2008 Server Active Directory.  Users are replicating successfully, but authentication is not working even though I am using the same LDAP manager distinguished name and password for both.  I have a suspicion to the cause of this problem but for the record, the following is my relevant configuration:
  System/LDAP/LDAP System:
  LDAP Server Type Microsoft Active Directory iPlanet or Sun ONE LDAP Server OpenLDAP Microsoft Active Directory Application Mode
  LDAP Attribute for User ID userPrincipalName sAMAccountName mail employeeNumber telephoneNumber
  LDAP Server Type: Microsoft Active Directory
  LDAP Attribute for User ID: userPrincipalName
  System/LDAP/LDAP Directory:
  LDAP Configuration Name: bgctnv.local
  LDAP Manager Distinguished Name: CN=cm.sync,OU=BGCTNV Users,DC=bgctnv,DC=local
  LDAP User Search Base: DC=bgctnv,DC=local
  LDAP Server Information: bgctnv.local, port 389 (to query any domain controller in DNS; I have also tried specific IP addresses)
  System/LDAP/LDAP Authentication:
  LDAP Manager Distinguished Name: CN=cm.sync,OU=BGCTNV Users,DC=bgctnv,DC=local
  LDAP User Search Base: LDAP user search base is formed using the User ID information (pre-populated, I cannot change this)
  LDAP Server Information: bgctnv.local, port 3268
  All of my Active Directory users are now populated and active under End Users.  However, I am not able to log into /ccmuser among other things using my valid domain credentials.  I am a super user as well as a standard end user.
  Curiously, invalid usernames (userPrincipalName in my case) return the error "Log on failed - Invalid User ID or Password" while a valid username, with or without the correct password, returns only "Log on failed."  That seems to imply that some part of the authentication or LDAP bind is taking place.
  Here's the catch.  The base domain here is bgctnv.local while we use bgctnv.org as a valid and acceptable alternative UPN suffix in Active Directory.  Every Microsoft and every third-party program I have used will accept [email protected], but I'm beginning to think that CM will not, or is having some sort of translation issue.  I read that alternative suffixes can cause problems in Active Directory forests with multiple trees, but this is a vanilla, single domain environment.
  I don't even know where to look to debug this issue.  Has anyone seen this before or can anyone tell me where to look for logs?
  Thanks,
  John

  I found the following:
  http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/8x/directry.html
  As mentioned in the section on LDAP Synchronization, in order to support synchronization with an AD forest that has multiple trees, the UserPrincipalName (UPN) attribute must be used as the user ID within Unified CM. When the user ID is the UPN, the LDAP authentication configuration page within Unified CM Administration does not allow you to enter the LDAP Search Base field, but instead it displays the note, "LDAP user search base is formed using userid information."
  This may help in some situations where there are multiple trees in an AD forest, but it is definitely not the solution.  Even with multiple trees, it is common to use alternative UPN suffixes.  Nothing in AD requires or even recommends that you exclusively use your AD domain root as the UPN suffix.
  For example, company.local may use company.com as an alternative but primary UPN suffix to provide simplicity for users.  Users can then achieve more broad SSO capabilities by using their familiar email credentials when authenticating for company.local services.
  When using UserPrincipalName as the LDAP synchronization attribute for the CM User ID, the configuration requires that the search base for authentication be derived from the UPN suffix, regardless of whether it is a single domain or multiple trees within a forest.  This makes it impossible to authenticate by UPN unless your UPN is explicitly your root domain name.  From the example above, CM would try to bind [email protected] against DC=company,DC=com instead of the correct DC=company,DC=local.
  The logical solution would be to allow the administrator the option.  Why not have a choice of whether to generate the user search base from the userid (UPN) information, or be able to specify the search base as well like it allows with any other synchronization attribute?
  Would this be a feature request, bug report, or neither?  I'd really appreciate it if Cisco considered this but I don't know the proper channel.

• CMC Authentication Active Directory Synchronization Updates Drops Users

  We are using SAP Business Objects on a Windows Server 2008 box and have configured single sign-on using Active Directory. We schedule the Active Directory in the Authentication tab to synchronize every day. Yesterday not all of the users updated and actually were dropped from the CMC. We think it was because one of the domain controllers went down for a group of users during the last CMC Active Directory Update. My question is, are there any log files we can look at for the active directory synch to see if there were any errors detected during the synchronization. It would be nice too, to be able to see a list of what actually happened during the Active directory synch like what groups, users and user group associations where added and deleted.
  The result was when the users were dropped we lost any manual security setups and the user lost their favorites and preferences settings because they were dropped. Is there anyway we can insulate our Acitve Directory updates from accidentally dropping users when something goes wrong with the Active Directory Synch Update?
  Any best practices would be greatly appreciated.
  Thanks,
  Bill

  Hi Bill,
  Usually, if a group has been deleted or renamed in the AD controller, the group is deleted from the CMC. If a DC is not available, the group shouldn't have been deleted.
  As far as I know, there are no options for debugging the action of the schedule. If you suspect that this can happen again, you can enable/disable traces on your CMS programming the creation/copy of CMS_trace.ini when the AD graph/alias schedule is going to happen.
  There is an Idea that you can vote to avoid users being deleted when the group is accidentally deleted from the CMC:
  https://cw.sdn.sap.com/cw/ideas/2645
  In the meantime, you can also create Enterprise alias for your AD users, so even if the problem appears again, the security, inboxes and favourites will still be there.
  1401058 - How to create Enterprise aliases for LDAP or AD accounts
  [https://service.sap.com/sap/support/notes/1401058]
  Regards,
  Julian

• Can you authenticate user/password from SAP to Active Directory

  I don't want to implement SSO for ABAP because my company doesn't have the license for  "SAP NW Single Sign-On"; but we would like to authenticate our users and their passwords to active directory.  Our goal is to make sure the user/password in SAP is the same as their Active Directory user/password.  Is this possible?
  Thanks!

  This has been discussed many times, for example see SSO with LAN UserID/Password. The short answer is no, you can't synchronize passwords. You can however achieve the requirement assuming you are using Identity Management to provision users and passwords to all systems (AD, SAP, etc). In that case you will have to deal with users changing their password. Recommendation is to enable SSO. If you don't want to get licenses for NWSSO, try to look at other options (X.509 certificates, SPNEGO in AS JAVA and then issue a Logon Ticket, 3rd party solution, etc).

• SAP HR - Active Directory encoding

  Hi,
  We're exporting data from SAP HR to Active Directory (we've followed this link).
  Our ECC5.0 system is not Unicode enabled, the database is in iso8859-2 encoding.
  Does it mean that if we send data through SPLDAP_RECEIVE_ATTRIBUTES module, that it will be sent in iso8859-2 encoding?
  Is the default encoding for abap programs the same as in the ECC5.0?
  I'm asking this because after export in Active Directory all the Polish characters such as ąęółćśżź are
  not being displayed correctly. Maybe it has something to do with the Active Directory encoding?
  Regards,
  Ladislav
  Edited by: Ladislav Pomezny on Nov 17, 2008 2:44 PM

  Any ideas?

• OID and MS Active Directory Synchronization

  Hi,
  I've read that these 2 LDAP services can be synchronized with the "Active Directory Connector" SO does this mean that if users and groups are stored in the MS active directory it is possible to have the users and groups synchronized with the OID so that these are available directly in Oracle Portal or do they still need to be added manually somehow into portal ??
  Thanks in advance,
  Brandon

  You can find documentation at :
  - http://www.oracle.com/technology/products/oid/oidhtml/sec_idm_training/html_masters/basics01.htm
  - http://www.oracle.com/technology/products/oid/oidhtml/sec_idm_training/html_masters/basics02.htm
  - Note 267153.1 (How To Setup OID Synchronization with Microsoft Active Directory Quick Start Guide) with related docs
  Best regards,
  Nicolas Stiévenard

• SAP SB1 +  Active Directory

  Hi,
  It´s possible to integrate the sap sb1 login with the Microsoft Active Directory?
  Best Regards,
  Tiago

  Hi Tiago,
  I don't think that is possible.  Simply because, B1 has to set and maintain its own user profiles.  Could you list the advantages and disadvantages if the future version works like you want?
  Thanks,
  Gordon

• Project Server 2010 Active Directory Synchronization - duplicate Windows Name - Event ID 7734

  Environment: SharePoint Server 2010, Project Server 2010, SP2, DEC 2013 CU (Farm Build number: 14.0.7113.5001)
  Scenario: 
  Domain user has been added to the Active Directory group being synchronized with Project Server for the Team Members group.
  That user has participated as a team member in numerous projects, added documents, been assigned tasks, typical project stuff...
  Employee quits.
  AD account is deleted. (NOT deactivated or moved into another OU)
  Time passes...
  Employee gets rehired.  NEW AD account is set up: same display name, SamAccountName, email address, different GUID of course.
  Daily Active Directory job runs again and throws event ID 7734 and the sync ends with a partial fail.
  I understand why this is happening.  Solutions I've found point me to deleting the Enterprise Object resource in Project Server and then rerunning the sync.  Sure, this works BUT won't all of the previous documents, tasks,
  etc. be disassociated from that user?  If so, this is not ideal.
  2 questions:
  Is there a better way to deal with the fixing of the resource in Project Server to somehow link the old resource to the new resource allowing the sync to run successfully while still leaving the association to all old content intact?
  How are other organizations dealing with rehires when they have been added as resources in Project Server?  What is the best practice guidance from Microsoft on this?  Are other companies not actually deleting AD accounts when users leave organizations
  or are they putting them into a "ARCHIVE" OU or something like that? This happens at least half a dozen times a year at my company. We would like to keep our AD as clean as possible, but this appears to change our approach.
  Any suggestion/guidance is appreciated.

  For the question to relink the new account to the account which is already available in Project Server. You will have to update the WRES_AD_GUID to Null for the the Resource in MSP_RESOURCES table in the published database.
  Whenever a users gets synchronized to the PWA his ADGUID, SAMAccountName, Display Name, Email Address and DepartmentName is Synchronized from AD to Project Server. When the user was deleted and recreated the ADGUID got changed. During the next sync, project
  found the user with similar properties but different ADGUID which was updated in WRES_AD_GUID column in MSP_RESOURCES table. Hence it says that there is a duplicate account in the table with the same properties but a different ADGUID
  Nullifying the WRES_AD_GUID column value in MSP_RESOURCES table should get the user synchronized to Project server in the next sync.
  Cheers! Happy troubleshooting !!! Dinesh S. Rai - MSFT Enterprise Project Management Please click Mark As Answer; if a post solves your problem or Vote As Helpful if a post has been useful to you. This can be beneficial to other community members reading
  the thread.

• Removing Active Directory Synchronization - will it delete all end-users?

  I need to split our company across two AD Forests and do not want to setup AD LDS for Dirsync and authentication.  Can I disable LDAP synchronization on CUCM 8.5.1 and have it leave the current users objects?  I would look to add passwords to each of the users in the Cisco directory and have Cisco perform the authenication locally.                  

  The threads recommend that I remove LDAP synchronization and authentication on CUCM Admin.  Then run this command:
  You can conver the users back to standard CUCM users using sql query update...Ths is easy to do
  run sql update enduser set status=1
  Will this procedure work?
  1) remove LDAP sync and auth from CUCM Admin (stay signed in)
  2) run the update on the enduser table (before the 3:15am garbage collection run)
  3) I assume that none of the end user accounts can be used now since the passwords were stored on AD and not in the enduser table.  I would have to update each of the enduser entries and add a password.
  What could go wrong?

• EIC SAP HCM - ( Activity ) Flexible User Interface

  Hi All,
  We are implemennting EIC with EHP4, There is a badi to add custom attributes for an activiy.
  BADI : HREIC_ACT_CUSTOM_ATTR
  Enhancement Spot :HREIC_CUSTOM_ACTIVITY_ATTR
  as per my understanding we need to use the methods to edit and save any custom attribute we want to define for an activity. I am not able to understand how to show that attribute on the BSP page ActivityAttributesView.htm in BSP application HREIC_VP.
  If anyone has experience of using thsi BADI. Please explaing me how to use this BADI to display attributes on the BSP page.
  Regards,
  Puneet

  Dear Madhu,
  In the IMG, you will have to look at the following path for the step-wise WDA configuration :
  SAP e-Recruiting ->Technical Settings -> User Interfaces ->Settings for user interfaces with WDA.
  There is also an overview note which will talk in-depth about the settings(Just after the above mentioned node in IMG) & options one need to consider for the WDA screens.
  The basic thing to consider is if you want to separate your front-end from your back-end for WDA.In separated systems no sensitive data is located outside the company's firewall.
  The main advantage in using the WDA screens is that it is based on the latest UI technology & the latest functionalities released by SAP are only supported in WDA screens & not BSP.
  And WDA screens are available as of ECC 6.0 SP08 onwards.
  As of Enhancement Package 3, only the internal & external candidate screens are available in WDA. The rest are in BSP.
  In enhancement Package 4 which was just released, the Recruiter screens are also available in WDA.
  Regards,
  Sowmya
  Edited by: Sowmya Kadambi on Jan 19, 2009 11:17 AM
  Edited by: Sowmya Kadambi on Jan 19, 2009 11:28 AM

• Where is the "Prevent Active Directory synchronization for this user" stored in the Project 2010 DB tables?

  I would like to create a report from the DB that gives me all users in Project/PWA 2010 where the "Prevent AD sync..." box has been checked in the user/resource configuration, but I cannot find where this is in the Project databases.  Our
  DB is SQL 2008 R2.
  Thanks,
  Marty Hadden
  MS Project Administrator

  Hi Marty,
  I might be wrong but the Prevent AD Sync details are not available in the Reporting db. Maybe you can check the published/draft databases (not supported) or you can configure a separate custom field and you can duplicate the information for each user
  into this field. The custom field can be used in the reports based on the reporting database.
  Hope this helps
  Paul

• Creating users in Active Directory through LDAP connector

  Hello,
  If we need to create users in Active directory using LDAP connector, what are the options for the following:
  1) Update back into SAP from AD. LDAP connector updates only in one direction i.e from SAP to Active directory.
  2) Can we add additional fields in LDAPMAP which are not standard e.g can we we write our own code to extract data from HR to map the value with an attritube within Active directory?
  Regards,
  Ahmad

  Hello!
  I noticed the email in my inbox and understand the reason for deleting it - checked the rules again - no problem with that.
  Here is the posting again - sanitized this time.
  You can create users in LDAP/AD from SAP without a problem. SAP provides function modules to create/maintain/delete users with LDAP attributes in the correct ou path.
  You can also perform group membership assignment in LDAP from SAP if needed.
  I have done this quite a few times at different companies that use SAP HCM.
  A userid in SAP is created automatically during hiring action with default password e.g. birthday of employee and certain authorization roles based on configured information.
  The userid is then created right away in LDAP in the correct ou path (controlled via custom configuration table) and LDAP group membership is assigned.
  A job runs every 8 hours to perform delta updates in LDAP.
  The userid in SAP and LDAP are locked automatically if the user is terminated using termination action in HR.

• OID and Active Directory

  1 Does Oracle OID integrate with Active Directory to synch data with Active Directory periodically?
  2 Marshall data from Active Directory on demand (live link)?
  3 Does Oracle Single Sign-on solution work with multiple directories (i.e. OID and AD both being used by Oracle Single Sign-on)
  4 Can Oracle Single-Sing-on work with a Desktop login into a Domain (also called NT Authentication or Desktop authentication).

  This is what I have to share with you....For further details refer link http://otn.oracle.com/products/oid/index.html and Oracle Internet Directory Administrator's Guide.
  1 Does Oracle OID integrate with Active Directory to synch data with Active Directory periodically?
  For synchronizing from Microsoft Active Directory to Oracle Internet Directory, you need to track changes in Microsoft Active Directory and configure your Active directory connector giving its URL, user account and password to be used by the Active Directory connector, its DIT info on domain which contain the users/groups. And in the Active Directory synchronization profile you'll have to set the mapping rule.
  2 Marshall data from Active Directory on demand (live link)?
  Yes, its possible to migrate data between directories. Configure your Active Directory connector and External auth Plug-in. And use the Directory Integration and Provisioning Assistant.
  3 Does Oracle Single Sign-on solution work with multiple directories (i.e. OID and AD both being used by Oracle Single Sign-on)
  Yes, its possible. When a user tries to log in, the OracleAS Single Sign-On server tries to verify the credentials the user enters against those stored in Oracle Internet Directory. If the user credentials are not there, then the Oracle directory server invokes the Active Directory external authentication plug-in. This plug-in verifies the user credentials in Microsoft Windows. If the verification is successful, then the Oracle directory server notifies the OracleAS Single Sign-On accordingly.
  4 Can Oracle Single-Sing-on work with a Desktop login into a Domain (also called NT Authentication or Desktop authentication).
  Oracle Application Server Single Sign-On enables native authentication, also called autologin, in a Microsoft Windows environment. Once logged into the Windows desktop, the user automatically has access to Oracle components. OracleAS Single Sign-On automatically logs the user into the Oracle environment using user's Kerberos credentials.

• Active Directory Mobile Account not working

  Hello all. I've successfully joined a few macs to an Active Directory domain. However, I have a laptop that needs to be able to authenticate even when away from the network. The "Create Mobile Account" checkbox seems perfect for the job. From my reading, it seems that it is supposed to cache login authentication info from network login users. Then when the computer doesn't have a network connection, it uses the cached credentials. Upon 1st login it asks if I want to create a mobile account, and I say yes. However, it doesn't work accross a reboot.
  If I reboot the computer without an network connection, and then try to authenticate at the login screen with my network user, the password field "shakes" as if I got it wrong.
  However, I know it is sorta working because if I type >console into the user field, I get dumped to the console, where I can successfully login using the network user's credentials. Even without a network connection. But not from the gui login screen.
  Any ideas?
  Thanks!

  Abbas,
  You can find active directory synchronization option under PWA settings >> Operation Policies
  1.In Project Web App, click the Settings icon, and then click Project Web App Settings.
  2.On the Project Web App Server Settings page, in the Operational Policies section, click Active Directory Resource Pool Synchronization
  3. On this page, you need to enter the Active directory Group which contains the users you want to sync and then click on save and synchronize.
  You can check the status of the Enterprise Resource Pool synchronization by returning to the Active Directory Enterprise Resource Pool Synchronization page and reviewing the information in the
  Synchronization Status section. It contains information such as when the last successful synchronization occurred.  If last synchronization failed for any reason, it will also post a timestamp of when it occurred if you wanted to search
  for more information in the ULS logs.
  Let us know the results.
  You can find more information on AD sync at
  http://technet.microsoft.com/en-us/library/gg982985(v=office.15).aspx
  Thank you,
  Kiran K.

• Bulk Uploading of New Users without Active Directory Sync. Possible?

  Hello,
  WithOUT Active Directory synchronization, is it possible to do a bulk upload of 100+ users onto Project Server 2013 (Online)?  If so, how?
  In addition, can these new users be setup to default with “User can be assigned as a resource"? 
  Thanks in advance,
  \Spiro Theopoulos PMP, MCITP. Montreal, QC (Canada)

  Hi,
  it is possible, but not completely.
  If you select at least one resource in Resource Center and click "Open", this resource is opened for editing in client. At this place, you can add your new resources with all fields (and Default Booking Type), e.g. with copy/paste from some other
  source. They are added as resources. However, editing column "User Logon Account" is disabled, so you can't add this information in client. You need to do this afterwards from Resource Center for each single resource.
  And yes - I agree: This is very inconvinient!
  Regards
  Barbara
  To increase the value of this forum, please mark the replies that helped to solve your issue as answer. If you find answers to questions from other forum participants to be helpful, please mark them as helpful. Your participation will help others to find
  an appropriate solution faster. Thanks for your support!