SAP Integration With Windows Server 2000 Active Directory

SAP and Active Directory Identity Management

Abstract

Every company is looking for ways to lower administration costs and strengthen security. The

challenges of single sign-on, data integrity, data accuracy, and data consistency across systems

continue to be problematic for virtually every company. Implementing an identity management strategy

to manage identities and identity data can enable a company to achieve these goals. This document

discusses how a company can integrate its SAP or mySAP Portal Enterprise Resource Planning

(ERP) applications with Active Directory to help accomplish these goals across these two important

systems.

The information contained in this document represents the current view of Microsoft

Corporation on the issues discussed as of the date of publication. Because Microsoft

must respond to changing market conditions, it should not be interpreted to be a

commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of

any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO

WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS

DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without

limiting the rights under copyright, no part of this document may be reproduced, stored

in or introduced into a retrieval system, or transmitted in any form or by any means

(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,

without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other

intellectual property rights covering subject matter in this document. Except as

expressly provided in any written license agreement from Microsoft, the furnishing of

this document does not give you any license to these patents, trademarks, copyrights,

or other intellectual property.

2002 Microsoft Corporation. All rights reserved.

Microsoft, Win32, Active Directory, Windows and Windows NT are either registered

trademarks or trademarks of Microsoft Corporation in the United States and/or other

countries.

The names of actual companies and products mentioned herein may be the trademarks

of their respective owners.

INTRODUCTION ................................................................................ 1

The Need for Identity Management 1

Identity Management Challenges 2

INTEGRATION BETWEEN ACTIVE DIRECTORY AND SAP ..... 5

Simplified Management 6

Strengthened Network Security 6

Makes Use of Existing Systems through Interoperability 7

Using Active Directory for SAP R/3 Systems Management 9

Active Directory and the SAPGUI 11

Using Active Directory with Central User Administration 12 ACTIVE DIRECTORY and mySAP ENTERPRISE PORTAL .... 13

SINGLE SIGN-ON WITH THE WINDOWS PLATFORM............. 14

SAPGUI for Windows 14

SAP .NET Connector (Windows Clients and Web Scenarios) 15

CONCLUSION .................................................................................. 16

REFERENCES .................................................................................. 17

CONTENTS

Windows 2000 Server White Paper 1

Todays companies are competing globally to provide access to information, to

enhance productivity, and to deliver services quicklyall at the lowest possible

cost. The ability to communicate and collaborate with partners, suppliers,

customers, and employees anytime and anywhere is now a requirement. Gone are

the days when only a selected group of people had network access to business

applications and data.

The advent and acceptance of new computing technologies and the Internet have

changed the way information is stored, accessed, and shared. Companies have

implemented a more open and distributed information model resulting in benefits

that include:

Increased Employee Productivity: Enables employees to be flexible, make

better decisions, and respond quickly to the changing demands of the

marketplace by providing secure access to the information they need

anywhere at anytime.

Lower Cost: Decreases costs and increases efficiency by safely

leveraging the power of collaboration and network connectivity.

Integrated Business Processes: Increase sales by enabling closer

relations with customers and partners through secure communications and

collaboration.

The Need for Identity Management

Electronically accessible versions of nearly all key company data are kept within the

corporate network. As a result, it is increasingly important for companies to make

certain that only authorized users have access to this confidential information. At

the same time, companies must ensure that authorized users can obtain the

information they need with limited loss of productivity. Balancing these two key

objectives is the challenge of identity management. When addressing identity

management, administrators need to consider the following:

Security: Employees, contractors, and business partners have varied

needs for access to data and applications. It is crucial for corporations to

ensure that only specifically authorized users have access to sensitive

company information.

Management complexity: Modern enterprises have many specialized

systems on a variety of platforms. Developing consistent user access

policies becomes increasingly complex as the number of users and

systems multiply.

Lowering cost: Even maintaining simple access policies can be expensive

if there are multiple applications, systems, and platforms that have their

own separate user access lists. For example, changing access rights for

10,000 users on 20 systems requires updating at least 200,000 fields.

By addressing these key secure connectivity challenges, organizations can achieve

greater employee productivity, decrease costs, and improve business integration.

INTRODUCTION


Identity Management Challenges

Security

Providing secure information access to authorized users has become increasingly

complex due to the distributed nature of corporate networks. In most enterprises,

individual applications and systems have their own user database or directory to

track who is permitted to use that application and system. As responsibility for

granting access control becomes more and more decentralized, the likelihood of

security breaches increases dramatically. For example:

Departing employees, contractors, customers, and business partners often

retain access to systems for long periods until all systems are updated, and

invalid user accounts proliferate.

Inconsistent policies result in inadvertently granting users access to

sensitive information (for example, human resources databases).

Systems are more vulnerable due to weak credentials, poor or no

password policies, and the large number of userids and passwords that

must be remembered by users.

Management Complexity

As modern corporations use more specialized systemssuch as network resource

directories, mail servers, human resources databases, voice mail servers, and

payroll applicationsit has become increasingly complicated to manage user

access rights. Individual divisions within an enterprise may have different processes

for requesting and provisioning resources. Furthermore, in most companies, each

system has its own tools for managing user accounts. Many require separate

passwords and processes for authenticating users. All these issues contribute to

increased IT management complexity. For example:

Disparate and diverse authentication and authorization systems must each

be managed, administered, and audited in different ways.

The proliferation of directories and other repositories of identity information

results in changes having to be made in multiple stores in multiple different

ways.

Users are frustrated because they must keep track of multiple IDs and

passwords for different applications and systems.

As companies scale their systems to service not only their employees but

also their customers and business partners via the Internet, these

challenges are further magnified.

Lowering Cost

In many organizations, each system acts as an island of special records and

database entries that must be managed individually. These systems typically have

their own definition of the users identity (name, title, ID numbers, roles, or

membership in groups). The larger the organization, the greater the variety of these

repositories and the higher the cost and effort required to keep them updated.


Line managers, IT professionals, and human resources staff devote

significant time and energy to complete forms, enter and update user data,

set up accounts, and reset forgotten passwords.

New employees and contractors often wait days to receive access to

critical applications and information while each administrator creates and

manages user credentials.

In order to overcome these challenges many customers are faced with building or

buying additional components. The ideal customer solution is one where

applications that are part of the overall corporate identity management process are

integrated with each other. This type of integration not only allows a customer to

benefit from improved security and simplified management but it further lowers cost

as no additional software or services must be purchased to help achieve these

goals.


Active Directory (AD) allows organizations to centrally manage and share

information about network resources and users. Active Directory also acts as the

integration point for bringing systems and applications - like SAP and AD - together.

SAPs integration with Active Directory allows customers to take advantage of the

key identity management benefits discussed in the previous section

Simplified management tasks

Strengthened network security

Reduced administration costs

As part of Microsofts overall identity management strategy Active Directory has

undergone SAPs SAP BC-LDAP-USR certification process. This SAP certification

indicates that Active Directory has been thoroughly tested and approved at SAPs

Integration and Certification Center (ICC) for use with the SAP and mySAP

Enterprise Portal products. Through this testing and certification, Microsoft and SAP

customers are assured to obtain:

A product technically verified to work with SAP

INTEGRATION BETWEEN

ACTIVE DIRECTORY

AND SAP

Figure 1 SAPs Interfaces to Windows and Active Directory

Active Directory

Windows 2000 Server

Single Signon SAP Systems

Management

mySAP Enterprise Portal Roles & Content

SAP Central User

Administration

SAP GUI for Windows

SAP .NET Connector

Other SAP applications using LDAP


An interface that is ready to use and tested with a variety of product releases

Proof of verification with full documentation and a corresponding certification

test procedure

Information regarding Active Directorys certification may be found at:

http://www.sap.com/partner/software/directory/

Customers who integrate SAP with Active Directory as part of their overall identity

management strategy achieve a number of specific benefits.

Simplified Management

The SAP system can use Active Directorys service publication capability to detect

SAP R/3 systems and their services, such as the application servers, message

servers, database, gateway service, and SAP Internet Transaction Server (ITS)

instances. This enables enterprise-wide information about installed systems to be

viewed and accessed from a central location without having to manually configure

files on each server or individual workstations.

The SAP R/3 version 46C Microsoft Management Console (MMC) snap-in is the

first component to use information provided by Active Directory. In addition to

providing a central view of all SAP systems in your landscape, the MMC snap-in

provides interfaces to monitor, stop, and start the SAP systems.

SAPGUI for Windows also uses Active Directory to obtain a list of SAP systems.

This eliminates the need for administrators and end-users to manually manage

SAP-specific files like SAPLogon.ini on each individual workstation.

By using the Active Directory Group Policy feature, administrators can update and

deploy the SAPGUI and other SAP applications to user desktops automatically. For

organizations that want to use single sign-on with SAPGUI, SAP provides a special

MSI package. This package can be automatically deployed to all relevant users

through the use of Group Policy.

SAP Central User Administration (Web Application Server version 6.10) supports

synchronization with Active Directory allowing the easy management of the

identities in your organization.

The end result is lower management and administrative costs.

Strengthened Network Security

One of the most important architectural advantages of Windows 2000 is the

integration of Active Directory and its advanced security features that enable a new

level of data protection.

SAP supports various single sign-on options for the Microsoft platform including

Kerberos, NTLM, and X.509 certificates. SAPGUI for Windows, mySAP Enterprise


Portal, SAP Internet Transaction Server, and the new SAP .NET connector support

all of these options.

Active Directory strengthens security in the SAP environment by:

Improving security and data protection SAP systems can take

advantage of the built-in Kerberos integration in Active Directory and

Windows 2000 for single sign-on. Not only is the need for a separate

SAP password eliminated, the data channel between the SAP client

and application server is automatically encrypted. Both SAP and

Microsoft provide built-in support for secure Internet-standard protocols

and authentication mechanisms such as Kerberos, public key

infrastructure (PKI), and lightweight directory access protocol (LDAP)

over secure sockets layer (SSL). This enables customers to choose the

individual level of security they require for their environment.

Reducing security risks By integrating SAP with Active Directory, a

company limits the number of repositories where trusted identities need

to be managed. As a result, IT administrators have a single procedure

for adding, removing, and managing trusted identities which reduces

the risk of unauthorized access to secure applications and data.

The end result is increased security and reduced security risks.

Makes Use of Existing Systems through Interoperability

SAP ABAP/4 programs can easily read and write information to Active Directory

using LDAP. For example, to retrieve address, user, or system data such as e-mail

addresses, fax numbers, addresses, or printers. Many SAP applications ship with

built-in Active Directory integration, including Central User Administration version

6.10 and mySAP Enterprise Portal version 5.0. mySAP Enterprise Portal version

5.0 also uses Active Directory to store user mapping information, role-to-user

assignments, and other customization attributes. These features enable customers

to immediately and easily take advantage of Active Directory as their single, multi-

purpose directory for both SAP-related and NOS information.

With mySAP.com, applications that support LDAP can access Active Directory and

use it for their storage needs. For example, various systems on different platforms

can access information using Active Directory. Likely candidates include the

following:

Personnel information (name, department, organization)

User and security information (user account, authorizations, public-key certificates)

System resource and service information (system identifier, application configuration, printer configuration)

The SAP HR system can use Active Directory to make personnel data in the

mySAP.com components available to other applications. Employee information that


may be of interest can be stored in Active Directory and retrieved by other

applications as necessary. For example, the HR application stores employee data

(name and position) in Active Directory. A different application, such as project

management, can access this information for its own purposes.

Each SAP system is an Active Directory-enabled client and can take advantage of

Active Directory. Information that is shared between mySAP.com and other

components can be stored in Active Directory and accessed by the various

applications. As an Active Directory-enabled client, the SAP applications have both

read and write access to the Active Directory. Therefore, information from other

systems is available to the SAP system, and SAP system data is available to other

systems.

Microsoft customers benefit from this by being able to place all information

regarding their employees, partners, and customers in a single directory repository.


Using Active Directory for SAP R/3 Systems Management

SAP systems that are registered in Active Directory can be centrally managed using

the SAP MMC snap-in.

In addition to providing system information to Active Directory, which can be used

by SAP clients such as the SAPGUI for Windows, the MMC snap-in provides

DCOM interfaces that allow system administrators to monitor and control SAP

instances centrally.

Figure 2 SAP MMC Snap-In


Some of the functions provided by the MMC snap-in include

Start and stop the SAP service

Log on to SAP systems directly from the MMC snap-in

View profiles and traces

Read the system log

Receive alerts

Integrate directly with SAP CCMS

Start and stop SQL server

Back up and restore SQL server

During R/3 setup, the setup tool offers automatic schema installation for Active

Directory and enables automatic registration during installation.

Figure 3 SAP R/3 Setup Screen


Active Directory and the SAPGUI

Starting with SAP R/3 version 46D, the SAPGUI can be configured to find R/3

systems and its message servers from Active Directory instead of using a fixed list

of systems and message servers stored and maintained in SAP configuration files.

If the SAPGUI is configured to use Active Directory, it will query Active Directory

each time server or group selection is used to obtain up-to-date information about

R/3 systems.

SAPGUI components, such as single sign-on, can be deployed via the Group Policy

feature of Active Directory. SAP provides an MSI installer package for deployment

of the SAPGUI with single sign-on (SAPSSO.MSI). By using this MSI file an Active

Directory administrator can enable automated deployment of the SAPGUI software

to Windows-based users that require it.


Using Active Directory with Central User Administration

SAP Central User Administration (CUA) 6.10 allows the administration of the whole

system landscape from a central point. All identity data can be maintained centrally;

while still allowing for local maintenance.

Figure 4 Configuring Active Directory Synchronization in SAP


mySAP Enterprise Portal unifies the applications, information, and services in an

enterprise into one system. It is a personalized, interactive gateway providing

employees, partners, suppliers, and customers with a single point of access.

mySAP Enterprise Portal can be accessed through multiple devices from anywhere

and at anytime. It delivers relevance to the user, eliminates traditional barriers to

productivity, and dramatically accelerates business throughput.

SAP also offers portal content specifically targeted to the users function within an

organization. SAP Business Packages streamline access to the business processes

that users inside and outside of the enterprise need most since they are tailored to

the users specific roles and responsibilities. The Business Packages have been

designed based on considerable SAP experience and provide increased efficiency,

timely decisions, and improved customer service.

mySAP Enterprise Portal uses Active Directory in two waysas the Corporate

Directory or the Portal Directory. Active Directory is approved and supported by

SAP for use in either of these roles.

mySAP Enterprise Portal makes use of users and groups stored in Active Directory.

No changes are required to Active Directory since the configuration and mapping

are done within mySAP Enterprise Portal User Management Configuration.

When using Active Directory as the Portal LDAP directory there is a requirement

that the schema of Active Directory by adding several new object classes. In

addition, three new organizational units need to be created in Active Directory.

ACTIVE DIRECTORY and

mySAP ENTERPRISE

PORTAL


SAPGUI for Windows

SAPGUI for Windows can use Kerberos authentication via the SAP GSS library

(gsskrb5.dll) in addition to NTLM authentication. When the gsskrb5.dll is installed

with the SAPGUI along with the SNC_LIB environment variable, the SAPGUI will

enable single sign-on with Windows such that an end-users Windows credentials

are used to access SAP without the requirement for an additional userid and

password that is specific to SAP. The GSS library also provides for data encryption

between the SAPGUI and the SAP Application Server. To assist in rolling out single

sign-on, SAP provides an MSI package called SAPSSO.MSI.

The Kerberos SNC name in SAPGUI is the SNC name of the SAP application

server service user. The SAP service will use PKI technologies to validate the

identity of the client so no password is required.

Figure 5 SAP Single sign-on Support

mySAP Enterprise Portal also supports various single sign-on options including

Kerberos, NTLM and X.509 certificates.

SINGLE SIGN-ON WITH THE

WINDOWS PLATFORM


SAP .NET Connector (Windows Clients and Web Scenarios)

The .NET connector makes it easy to extend the functionality of your SAP system

with .NET functionality. The SAP .NET connector has built-in support for single

sign-on scenarios, including authentication by X.509 certificates, Kerberos, and

external authenticators like Microsoft Passport.

Figure 6 Microsoft Visual C# Project

The .NET connector supports all of the SAP single sign-on mechanisms including

Passport, ASP.net login forms, etc. Developers can easily add support for Active

Directory and single sign-on within SAP application programs.

Support for various single sign-

on options in the

SAPLogonDestination object,

a part of the SAP .NET

connector


Today, every company is concerned about reducing costs. Deploying ERP,

portal and other related systems is a step that many companies take towards

that goal. However, in many cases, there is an additional burden in product and

services costs related to integrating these systems with other identity-centric

systems within the organization. This is the identity management challenge.

The integration of SAP products with Active Directory enables a customer to

solve these identity management challenges so they can achieve even further

cost reductions through strengthened security, increased manageability and

lowered administration costs. Additionally, customers avoid the costs related to

acquiring products and services to integrate their SAP systems within the

Windows environment that enterprise integration now comes built in.

CONCLUSION


The following documents were used in preparing this white paper.

SAP R/3 Installation on Windows 2000: MS SQL Server

http://service.sap.com/InstGuides

Secure Network Communications, SNC User Guide version 1.2

http://service.sap.com/~form/sapnet?_FRAME=CONTAINER&_OBJEC

T=011000358700001270931999E

SAP R/3 System Information in Directory Services (Randolf Werner, Basis

Development (MS Platforms) 11.June 2002


T=011000358700006159742000E

Pluggable Authentication Service (PAS) for External Authentication

Mechanisms

http://service.sap.com/~form/sapnet?_SHORTKEY=011000358700000

38605&

Single Sign-On in the mySAP.com Workplace


T=011000358700005479221999E

Installing Enterprise Portal, Enterprise Portal 5.0 SP3

http://service.sap.com/~sapidb/011000358700002088922002E/EP50_

SP3_ROAD.HTM#Installing1

R/3 Directory Connection, LDAP Manual Version 1.0


T=011000358700000096622002E

SAP .NET connector documentation

http://service.sap.com/connectors

Active-Directory enabled SAP using LDAP Realtech

http://www.realtech.de/germany/html/d_consulting/2_web_middleware/AD

S/ADS_und_SAP.html

Directory Services with mySAP.com

Seamless Information Sharing Among Participating Applications

New Features in SAP Central User Management Boris Koerble

SAP Trust Center services in detail

https://websmp204.sap-

ag.de/~sapidb/011000358700007992392000E/TCSINDETAIL.HTM

HR Data Retrieval in an LDAP-Enabled Directory Service (service

mktplace)

https://websmp201.sap-

ag.de/~form/sapnet?_FRAME=CONTAINER&_OBJECT=01100035870000

1865612002E

REFERENCES


The following references include more information about mySAP Enterprise

Portal use of Active Directory.

For online help for the portal including administration and installation

documentation, see http://help.sap.com (Enterprise portal)

For installation and additional documentation on the portal (an SAP service marketplace user account is required for access), see http://service.sap.com/epinst

For support articles and tips on using directory with mySAP Enterprise

Portal, see http://service.sap.com/notes.

See also: Note: 504551 - EP 5.0: SSL to LDAP directory servers and

MS ADS Support; Note: 448828 - EP 5.0: Central Note for EP-PIN-

USM (User Management); Note: 518259 - EP 5.0: Using MS ADS as

your Portal LDAP Directory

For the Active Directory home page, see

http://www.microsoft.com/activedirectory

For Active Directory support information, see

http://support.microsoft.com

For details on how to create organizational units in Active Directory,

see Step-by-Step Guide to Managing Active Directory

http://www.microsoft.com/windows2000/

techinfo/planning/activedirectory/

manadsteps.asp

Additional References

For more information on using the LDIFDE Tool to extend the AD Schema, see

http://msdn.microsoft.com/library/default.asp?url=/library/en-

us/wss/wss/sgw_install_ldifde.asp

For more information on using the AD Schema extension snap-in, see

http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/WINDO

WS2000/en/advanced/help/sag_ADschemaNotThere.htm

For more information on Active Directory support tools, see

http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/WINDOWS

2000/en/server/help/sag_ADcmdTools.htm

For more information on Windows 2000 Server documentation, see

http://www.microsoft.com/windows2000/en/server/help/default.asp

For more information on SAP Central User Administration, see the documentation

on SAP Service Marketplace under alias SystemsManagement > Directory

Access Services.

SAP Integration With Windows Server 2000 Active Directory

Documents

Transcript of SAP Integration With Windows Server 2000 Active Directory