Use Windows Account to logon to WAS (ICM) ...

Hi All !
is it possible to use a windows Domain Account to logon to WAS Applications ( BSP or Webdypro in ICM ) ?
possible with Kerberos or Certificates ?
How to implement ?
need help !
Thanks
Oliver

Wolfgang,
Yes, I hope that Oliver finds this chat/info useful, and not too confusing.
I am sorry, but the question asked in this post was related to using the Windows Account to logon to WAS. For me that means something like :
1. The user is currently logging onto Windows using an account, and is authenticating with Active Directory using this account. e.g. via password or smart card, two-factor token etc.
2. The user wants to use this same Windows account to logon to WAS ABAP. This implies the same authentication method used to logon to Windows (e.g. password, smart card, two-factor token etc.) should be used to logon to SAP WAS. This relates to the question being asked by Oliver.
So, if we first consider x.509. How are you proposing that the user authenticates using their certificate, and determines their Windows account from this certificate when they  log onto SAP ? The Active Directory approach is to use PKINIT (a Kerberos pre authentication mechanism) to determine the Windows account name from the certificate based authentication, so SAP WAS would have to use PKINIT and/or share the same certificate that Active Directory uses for this to be possible. I am not aware of a method of making this work with SAP software, and if it is possible, it certainly would not be easy. Also, I am not convinced this gives Oliver what he is asking for. The only method I am aware of is to use client certificates to authenticate to SAP, and these certificates would normally be issued by SAP or via an external CA which is trusted by SAP. When using this method to logon to SAP there is no way to relate the certificate to the account name the user is aware of in Windows since the certificate authentication used by SAP is completely separate from the Windows account authentication. Hence, I would say that x.509 cannot be used to meet Olivers requirements.
Regarding SPNEGO. There was no question asked about SPNEGO - you introduced this technical term in your response, and I answered the question referring to Kerberos since this is what Oliver asked about. Also, this is not supposed to be a discussion about standards, it is a discussion about the methods available to logon to SAP WAS using a Windows account. This is the question I have answered.
I didn't say that the ABAP systems supported SPNEGO. I simply explained how it is possible to use Kerberos to authenticate to ABAP apps, either via Integrated Windows Authentication or via a logon screen that asks for Active Directory account name and password. This answers the question from Oliver clearly and without confusing him with technology - basically, what he wants to do is possible, very easy and quite commonly implemented by SAP customers, so surely these things are more important than introducing technology and standards in to the discussion when they are not relavent, and certainly better than giving the impression that x.509 is the way to go !
I don't want this post/discussion to be taken the wrong way. I wanted to make sure that Oliver gets the answer he asked for, and when you responded implying that x.509 was the best option and Kerberos was not possible I felt I had to correct you on this, in the context of the question being asked and my knowledge of the solutions available on the market to address the requirements that Oliver has asked about.
Regards,
Tim

Similar Messages

  • HT4796 I'm transfering info from my old pc to my new macbook pro, using Windows Migration Assistant. All was fine but has now lost connection (wifi) and won't reconnect. Mac is showing transfer window and I cant escape, I'm new to mac.

    I'm transfering info from my old pc to my new macbook pro, using Windows Migration Assistant. All was fine but has now lost connection (wifi) and won't reconnect. Mac is showing transfer window and I cant escape, I'm new to mac

    You'll need to erase the drive by booting up holding command-option-r keys into your Recovery Volume.
    Use Disk Utility to erase the disk and then Internet Recovery. That will take a while.
    http://support.apple.com/kb/HT4718

  • [Consolidation-Locked] will Lightroom 4 run using windows xp?

    will Lightroom 4 run using windows xp?
    Message title was edited by: Brett N

    Please see http://forums.adobe.com/message/4131900

  • I was login a website ,and i have opened cookies , i want to open another window to login the same website use another account , and in the same windows can use the same account , how can i achieve it ? thinks

    i want to use firefox to login a website ,in the same window and different tags can user the same session
    but when i open other window and login the same website use different account .
    how can i achieve it ? thinks

    Your problem has nothing to do with the faults or limitations of a web browser.
    ''There can be only ONE active user logged in on a specific website during a whole Browsing Session. Even if you try to log-in using a new window it will sign-out the earlier User ID from that website. It will keep the most recent logged-in User ID active.''
    This is the general policy on which all websites are built. Even if you try to login the same website from another web browser, you won't be able to login from the second platform either. I just check it. Tried on Mozilla and Internet Explorer.

  • Can not logon using akype account on Samsung Smart...

    Just updated Skype on my Samsung smart TV.  Now i can't logon.  Error is incorrect password.  Checked with windows 7 and windows 8.  I can log on using microsoft account, but TV wants skype name.  Seems there was a similar problem a year ago.  Is this problem back?

    At the moment you can only sign in to Skype on the Samsung TV using a Skype Name. If you normally sign in to Skype on another device using a Microsoft Account (which is in the format of an email address), then you cannot sign in on the Samsung TV using the Microsoft Account at the moment. 
    The easiest solution for now, is to create a new Skype account for use on the TV - you can do this on the TV itself by selecting the 'create an account' option on the main Skype menu. 

  • HT204053 Dear Support Team, every time i tried to logon Icloud its gives me wrong user name or password and at the end it show me error " This Apple ID is valid but is not an ICloud Account" then how can i use one account for same Apple ID and ICloud???

    Dear Support Team,
    Every time i tried to logon Icloud its gives me wrong user name or password and at the end it show me error " This Apple ID is valid but is not an ICloud Account" then how can i use one account for same Apple ID and ICloud?
    Thanks

    It is not possible to create a new iCloud account using a Windows machine. You must create the account using a Mac (10.7.5 or more) or an IOS device (iPhone etc). Once that is done you can sign into and use the account on your Windows machine.

  • I recently built a new windows PC for the first time. My (new) wife and I both have itunes accounts, which we would like to use under different windows accounts on same PC. However, when I try to download my wife's songs it gives me an error.

    I am recently married to a wonderful woman and just built a windows PC for the first time. The idea was that we would (sorta) both be able to get a new computer out of it as we would each have a different account under windows. One of the first tasks was to migrate over our iTunes libraries. I did mine with no problem, but now that I'm try to do hers, I'm getting an error message saying "if you download past purchases with your Apple ID, you cannot auto-download or download purchases with a different Apple ID for 90 days."
    What's the best solution for this? I want my wife to be able to use the new computer under her windows account just like it's her new computer, to the extent possible. I don't want our two iTunes accounts to be fighting each other and causing problems because they are on the same physical machine. What to do? Surely this can't be the first time this has happened - where two people each want to have their own iTunes account on the same computer.
    This is the latest version of iTunes (12.0.1.26) running on Windows 8.1.

    Drrhythm2 wrote:
    What's the best solution for this? I
    Copy the entire /Music/iTunes/ folder from her old compouter to /Music/ in her account on this new computer.

  • I can't update iPhoto 9.4.1 to 9.4.3.  Every time I click update, it tells me to sign in to the account I used to purchase it but it was preinstalled.  Please help!!!

    I can't update iPhoto 9.4.1 to 9.4.3.  Every time I click update, it tells me to sign in to the account I used to purchase it but it was preinstalled.  Please help!!!

    They are updated through the Software Update facility, not the Mac App Store.
    Thanks for popping in....
    My iLife apps are all from retail install disks predating Lion/ML; I am running 10.8.4 and as soon as I choose Software Update from the menu, the app store 'Updates" window opens with "checking for updates". I believe that behavior (SU being directed to MAS) was changed with ML?

  • Can't enroll device for user and this user account is not authorized to use Windows Intune.

    Hello,
    We have SCCM 2012 R2 inegrated with intune via an intune subscription. When I enroll a device with my admin account there are no problems, but when I want to add it with another user account which is a member of the Intune users collection, it can't be enrolled.
    When I tested on https://portal.manage.microsoft.com with the credentials of the user I couldn't connect and received the following error: This user account is not authorized to use Windows Intune.
    Do I have to do anything in the https://accounts.manage.microsoft.com as there is a checkbox saying Windows Intune. this is unchecked now for all the users even my own account on which I'm able to enroll a device.
    Or is this a license problem? I know configuration Manager uses licenses for Intune but where can we track how many licenses are used and how many available? Is there some kind of report available?
    I hope someone can help me
    Kind regards,
    Robben

    I added them yesterday and this morning I was still not able to enroll a device with the added user his credentials.
    The UPN is correct. Maybe I need to force the DirSync then? Or will one day of waiting be enough normally?
    I can see the user in the intune management portal. Does this means it has been synced?
    Another thing I noticed is the cloudusersync.log doesn't show them being added? What I was thinking is I first used the all Users collection in the subscription and afterwards I changed it to a specific collection with only the test users. Could it be that
    they all synced already and the log doesn't show them anymore?
    A warning in this log shows this also:
    WARNING: Failed to get lsu url. default release one will be used. exception = System.NullReferenceException: Object reference not set to an instance of an object.~~   at Microsoft.ConfigurationManager.DmpConnector.UserSync.CloudUserUpload..ctor()  
     SMS_CLOUD_USERSYNC    23/04/2014 15:02:18    7684 (0x1E04)
    I don't know if that has anything to do with this?
    this is an extract of that log:
    CCloudUserSync::Process - User sync processing thread is now stopping.    SMS_CLOUD_USERSYNC    23/04/2014 14:59:42    8144 (0x1FD0)
    SMS_EXECUTIVE started SMS_CLOUD_USERSYNC as thread ID 7684 (0x1E04).    SMS_CLOUD_USERSYNC    23/04/2014 15:02:15    7572 (0x1D94)
    CCloudUserSync::Process - User sync processing has started.    SMS_CLOUD_USERSYNC    23/04/2014 15:02:15    7684 (0x1E04)
    Starting user sync ...    SMS_CLOUD_USERSYNC    23/04/2014 15:02:15    7684 (0x1E04)
    WARNING: Failed to get lsu url. default release one will be used. exception = System.NullReferenceException: Object reference not set to an instance of an object.~~   at Microsoft.ConfigurationManager.DmpConnector.UserSync.CloudUserUpload..ctor()  
     SMS_CLOUD_USERSYNC    23/04/2014 15:02:18    7684 (0x1E04)
    Starting user delta sync, raise failure status messages = True    SMS_CLOUD_USERSYNC    23/04/2014 15:02:18    7684 (0x1E04)
    Total received users from SCCM to be removed from cloud = 0    SMS_CLOUD_USERSYNC    23/04/2014 15:02:19    7684 (0x1E04)
    Successfully removed users from cloud 0    SMS_CLOUD_USERSYNC    23/04/2014 15:02:19    7684 (0x1E04)
    Total received users to add from SCCM = 0, Total Successfully added users to Cloud = 0    SMS_CLOUD_USERSYNC    23/04/2014 15:02:19    7684 (0x1E04)
    UserDeltaSync:- Users Added = 0, Users Removed = 0    SMS_CLOUD_USERSYNC    23/04/2014 15:02:19    7684 (0x1E04)
    Starting user delta sync, raise failure status messages = True    SMS_CLOUD_USERSYNC    23/04/2014 15:07:19    7684 (0x1E04)
    Total received users from SCCM to be removed from cloud = 0    SMS_CLOUD_USERSYNC    23/04/2014 15:07:19    7684 (0x1E04)
    Successfully removed users from cloud 0    SMS_CLOUD_USERSYNC    23/04/2014 15:07:19    7684 (0x1E04)
    Total received users to add from SCCM = 0, Total Successfully added users to Cloud = 0    SMS_CLOUD_USERSYNC    23/04/2014 15:07:19    7684 (0x1E04)
    UserDeltaSync:- Users Added = 0, Users Removed = 0    SMS_CLOUD_USERSYNC    23/04/2014 15:07:19    7684 (0x1E04)
    Starting user delta sync, raise failure status messages = True    SMS_CLOUD_USERSYNC    23/04/2014 15:12:19    7684 (0x1E04)
    Total received users from SCCM to be removed from cloud = 0    SMS_CLOUD_USERSYNC    23/04/2014 15:12:19    7684 (0x1E04)
    Successfully removed users from cloud 0    SMS_CLOUD_USERSYNC    23/04/2014 15:12:19    7684 (0x1E04)
    Total received users to add from SCCM = 0, Total Successfully added users to Cloud = 0    SMS_CLOUD_USERSYNC    23/04/2014 15:12:19    7684 (0x1E04)
    UserDeltaSync:- Users Added = 0, Users Removed = 0    SMS_CLOUD_USERSYNC    23/04/2014 15:12:19    7684 (0x1E04)
    Starting user delta sync, raise failure status messages = True    SMS_CLOUD_USERSYNC    23/04/2014 15:17:19    7684 (0x1E04)
    Total received users from SCCM to be removed from cloud = 0    SMS_CLOUD_USERSYNC    23/04/2014 15:17:19    7684 (0x1E04)
    Successfully removed users from cloud 0    SMS_CLOUD_USERSYNC    23/04/2014 15:17:19    7684 (0x1E04)
    Total received users to add from SCCM = 0, Total Successfully added users to Cloud = 0    SMS_CLOUD_USERSYNC    23/04/2014 15:17:19    7684 (0x1E04)
    UserDeltaSync:- Users Added = 0, Users Removed = 0    SMS_CLOUD_USERSYNC    23/04/2014 15:17:19    7684 (0x1E04)
    Starting user delta sync, raise failure status messages = True    SMS_CLOUD_USERSYNC    23/04/2014 15:22:19    7684 (0x1E04)
    Total received users from SCCM to be removed from cloud = 0    SMS_CLOUD_USERSYNC    23/04/2014 15:22:19    7684 (0x1E04)
    Successfully removed users from cloud 0    SMS_CLOUD_USERSYNC    23/04/2014 15:22:19    7684 (0x1E04)
    Total received users to add from SCCM = 0, Total Successfully added users to Cloud = 0    SMS_CLOUD_USERSYNC    23/04/2014 15:22:20    7684 (0x1E04)
    UserDeltaSync:- Users Added = 0, Users Removed = 0    SMS_CLOUD_USERSYNC    23/04/2014 15:22:20    7684 (0x1E04)
    kind regards,
    Robben

  • I was recently prompted to update my Itunes player to the latest version. I'm using Windows Vista. I was left with an error message MSVCR80.dll and consequently no new update. I uninstalled the old version and have tried to reinstall manually. No luck

    I was recently prompted to update my Itunes player to the latest version. I'm using Windows Vista. I was left with an error message MSVCR80.dll and consequently no new update. I uninstalled the old version and have tried to reinstall manually several times. No luck. Consequently I have no player.
    Any ideas for a fix?

    Go to Control Panel > Add or Remove Programs (Win XP) or Programs and Features (later)
    Remove all of these items in the following order:
    iTunes
    Apple Software Update
    Apple Mobile Device Support (if this won't uninstall move on to the next item)
    Bonjour
    Apple Application Support
    Reboot, download iTunes, then reinstall, either using an account with administrative rights, or right-clicking the downloaded installer and selecting Run as Administrator.
    The uninstall and reinstall process will preserve your iTunes library and settings, but ideally you would back up the library and your other important personal documents and data on a regular basis. See this user tip for a suggested technique.
    Please note:
    Some users may need to follow all the steps in whichever of the following support documents applies to their system. These include some additional manual file and folder deletions not mentioned above.
    HT1925: Removing and Reinstalling iTunes for Windows XP
    HT1923: Removing and reinstalling iTunes for Windows Vista, Windows 7, or Windows 8
    tt2

  • FTP logon issues on IIS 7 using Windows Server 2008 R2

    Hi, I'm currently experiencing issues when trying to log on to an FTP server I created using Windows Server 2008 R2.
    The FTP web site has Enabled both Anonymous and Basic Authentication.
    On the Authotization Rules it has enabled Allow All Users and Anonymous Users with read permissions, and the local administrator with read and write.
    Whenever I try to log on, either via IE or Command prompt, when asked for credentials, I get logon failures, either with anonymous or a username that has access permissions to the FTP root folder.
    I tried changing the FTP application pool identity to Network Service, but still get the same error. I also have tried testing the connection from the basic settings section of the FTP Site, and when I test it using Application User (use pass-through authentication)
    I get an error that says: ¨IIS Manager cannot verify whether the builtin account has access¨If I instead use a username and password, the test passes ok, however using this account to try to enter the FTP site I get logon failure, even when the account
    I´m using is a local admin account.
    The Server is part of an AD Domain.
    I have read a few blogs and forums about problems with FTP validation but nothing related exactly to my issue.
    Any ideas are deeply appreciated.
    thanks
    Eduardo Rojas

    Hi, I would tend to ask on IIS forum (iis.net), as you might get more attention and help there.
    For your issue, I would tend to think that you need to set the correct security on the FTP's home folder, but again it's only an advice, as I'am not an IIS's guru.
    Regards, Philippe
    Don't forget to mark as answer or vote as helpful to help identify good information. ( linkedin endorsement never hurt too :o) )
    Answer an interesting question ? Create a
    wiki article about it!

  • Cannot use Windows AD Network Accounts with Mavericks

    Hi
    Mavericks is seriously getting to me and are surprised on the big quality drop the Apple products have had the past year. We are using Windows AD to handle all users and all other clients (Mac OS 10.6 - 10.8, various Windows versions) except Mavericks can use the network accounts.
    The computers with mavericks was mainly upgraded from 10.8
    Windows AD Domains are running Windows 2012
    Any advice on where to start looking? This is solely a Mac OS issue.

    having same problem with my x300 installed windows 8 2 months ago and wireless was working fine.
    then a couple of weeks ago wireless stopped working so installed windows 7 and still no wireless.
    can only get internet with Lan cable and when i troubleshoot shows that wifi is turned off try the switch but no light when i turn on and computer says that wifi is off and needs to be turned on.
    did you have any luck fixing your x300 and if you did how did you fix it?

  • How can I retrieve my calendar info that was sucked from my iPad 2 after upgrading to OS V and backing up to iCloud (using Windows XP computer with Outlook)?

    How can I retrieve my calendar info that was sucked from my iPad 2 after upgrading to OS V and backing up to iCloud (using Windows XP computer with Outlook)?

    I think (and I'll double check) only the BBLink events will sync on a wired USB sync. I'm fairly certain of that.
    You'll need to use your calendar syncing via an EAS email account (outlook.com, for instance, is free) to sync wirelessly. It works great. I use it and was a former tied to the USB sync guy as well... and I thought I was gonna die a painful death without it. I found more freedom this way.
    This explains the process. But I don't think you'll get BBM Groups to sync.
    http://supportforums.blackberry.com/t5/BlackBerry-​Z10/How-To-OTA-Sync-BB10-and-non-BES-Outlook-Overv​...
    1. If any post helps you please click the below the post(s) that helped you.
    2. Please resolve your thread by marking the post "Solution?" which solved it for you!
    3. Install free BlackBerry Protect today for backups of contacts and data.
    4. Guide to Unlocking your BlackBerry & Unlock Codes
    Join our BBM Channels (Beta)
    BlackBerry Support Forums Channel
    PIN: C0001B7B4   Display/Scan Bar Code
    Knowledge Base Updates
    PIN: C0005A9AA   Display/Scan Bar Code

  • Using Microsoft account on domain-joined Windows 10 Technical Preview

    (First asked at
    http://answers.microsoft.com/en-us/windows/forum/windows_tp-security/using-microsoft-account-on-domain-joined-windows/63093b15-af76-4461-a23e-8f8b739f4960, was told to come here...)
    I have in-place upgraded a domain-joined Windows 7 machine to Windows 10 Technical Preview build 9860.
    I can log on as before using my domain account, but I'd also like to be able to log on using my (personal) Microsoft account.
    I tried typing [email protected] in the "user" box but this didn't work.
    Any clue? Maybe the only way is to first create a local account and then associate it with the MSA but IMVHO this shouldn't be necessary...

    Hi sba,
    If we updated to Windows 10 Technical Preview from Windows 7, Windows will keep your Windows settings, personal files, and most apps. And based on what I know, if we haven’t create a Microsoft Account on Windows 10 (or there is no Microsoft account available
    before we update to Windows 10), it will not allow us to sign in with a Microsoft Account.
    To make it able to sign in with a Microsoft account, we need either connect a local account to a Microsoft account (Under PC settings->Users and Accounts-> Your profile)
    or
    create a new user account(under PC settings->Users and Accounts->Other users->Mange other users-> Add a user);
    Best regards
    Michael Shao
    TechNet Community Support

  • I am using windows 8.1. But I recieved the error This apple id is valid but is not an icloud account. How can I get connected to Icloud?

    I am using Windows 8.1. When I try to connect to Icloud I get the Message: This Apple id is valid, but is not an icloud account.
    How can I get connected to Icloud?

    Hello pmarrone,
    You may only sign up for an iCloud account via one of the following systems or devices.
    You can sign up for iCloud on an iPhone, iPad, or iPod touch with iOS 5 or later, or through System Preferences on a Mac with OS X Lion v10.7.4 or later. Just follow the setup instructions for your iOS device or Mac.
    Creating an iCloud account: Frequently Asked Questions
    http://support.apple.com/kb/HT4436
    Cheers,
    Allen

Maybe you are looking for

  • My ipod has died

    I'm trying to be matter of fact about the issue, because I truly doubt there is any hope: Ipod was bought a little under a year and a half ago. I was using i-tunes this afternoon, i think at least version 6. I was also using a program called ipod age

  • How can I find which datafile a row in a huge partitioned table belongs to?

    Hello guys. We have a bunch of potentially corrupt LOB data in a 15TB partitioned table. I have run a query to find out what rows may be corrupt. Is it possible to find out if these belong to a common datafile (the are 450 datafiles in this tablespac

  • Why can't I log into WiFI?

    Why can't I log into WiFi with my Ipad Air all of a sudden? WiFi is turned on. Under settings ... it shows the network Im trying to log into ... and in the column   to the right where it lists the various networks, it shows the network i want and a l

  • Rc-local.service keeps failing after one time success

    Actually it's quite weird, every time rc-local.service was enable successfully with boot but then it keeps failing. However, once I modify /etc/systemd /system/rc-local.service( even something that really doesn't matter ), it will be enabled successf

  • 800*600 screen resolution not showing full adobe window

    Hi, One of my customers is currently running Adobe Captivate 2 and due to difficulties with vision is using a screen on 800*600 resolution. When you open pretty much any of the menus/options the screens that pop up fill the screen past the 800*600 li