SAP and Active Directory

Identity Management
Abstract
Every company is looking for ways to lower administration costs and strengthen security. The
challenges of single sign-on, data integrity, data accuracy, and data consistency across systems
continue to be problematic for virtually every company. Implementing an identity management strategy
to manage identities and identity data can enable a company to achieve these goals. This document
discusses how a company can integrate its SAP or mySAP Portal Enterprise Resource Planning
(ERP) applications with Active Directory to help accomplish these goals across these two important
systems.

The information contained in this document represents the current view of Microsoft
Corporation on the issues discussed as of the date of publication. Because Microsoft
must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of
any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO
WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, no part of this document may be reproduced, stored
in or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering subject matter in this document. Except as
expressly provided in any written license agreement from Microsoft, the furnishing of
this document does not give you any license to these patents, trademarks, copyrights,
or other intellectual property.
2002 Microsoft Corporation. All rights reserved.
Microsoft, Win32, Active Directory, Windows and Windows NT are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
The names of actual companies and products mentioned herein may be the trademarks
of their respective owners.


INTRODUCTION ................................................................................ 1
The Need for Identity Management 1
Identity Management Challenges 2
INTEGRATION BETWEEN ACTIVE DIRECTORY AND SAP ..... 5
Simplified Management 6
Strengthened Network Security 6
Makes Use of Existing Systems through Interoperability 7
Using Active Directory for SAP R/3 Systems Management 9
Active Directory and the SAPGUI 11
Using Active Directory with Central User Administration 12
ACTIVE DIRECTORY and mySAP ENTERPRISE PORTAL .... 13
SINGLE SIGN-ON WITH THE WINDOWS PLATFORM............. 14
SAPGUI for Windows 14
SAP .NET Connector (Windows Clients and Web Scenarios) 15
CONCLUSION .................................................................................. 16
REFERENCES .................................................................................. 17

CONTENTS



Windows 2000 Server White Paper 1
Todays companies are competing globally to provide access to information, to
enhance productivity, and to deliver services quicklyall at the lowest possible
cost. The ability to communicate and collaborate with partners, suppliers,
customers, and employees anytime and anywhere is now a requirement. Gone are
the days when only a selected group of people had network access to business
applications and data.

The advent and acceptance of new computing technologies and the Internet have
changed the way information is stored, accessed, and shared. Companies have
implemented a more open and distributed information model resulting in benefits
that include:
Increased Employee Productivity: Enables employees to be flexible, make
better decisions, and respond quickly to the changing demands of the
marketplace by providing secure access to the information they need
anywhere at anytime.
Lower Cost: Decreases costs and increases efficiency by safely
leveraging the power of collaboration and network connectivity.
Integrated Business Processes: Increase sales by enabling closer
relations with customers and partners through secure communications and
collaboration.
The Need for Identity Management
Electronically accessible versions of nearly all key company data are kept within the
corporate network. As a result, it is increasingly important for companies to make
certain that only authorized users have access to this confidential information. At
the same time, companies must ensure that authorized users can obtain the
information they need with limited loss of productivity. Balancing these two key
objectives is the challenge of identity management. When addressing identity
management, administrators need to consider the following:
Security: Employees, contractors, and business partners have varied
needs for access to data and applications. It is crucial for corporations to
ensure that only specifically authorized users have access to sensitive
company information.
Management complexity: Modern enterprises have many specialized
systems on a variety of platforms. Developing consistent user access
policies becomes increasingly complex as the number of users and
systems multiply.
Lowering cost: Even maintaining simple access policies can be expensive
if there are multiple applications, systems, and platforms that have their
own separate user access lists. For example, changing access rights for
10,000 users on 20 systems requires updating at least 200,000 fields.
By addressing these key secure connectivity challenges, organizations can achieve
greater employee productivity, decrease costs, and improve business integration.

INTRODUCTION

Windows 2000 Server White Paper 2
Identity Management Challenges
Security
Providing secure information access to authorized users has become increasingly
complex due to the distributed nature of corporate networks. In most enterprises,
individual applications and systems have their own user database or directory to
track who is permitted to use that application and system. As responsibility for
granting access control becomes more and more decentralized, the likelihood of
security breaches increases dramatically. For example:
Departing employees, contractors, customers, and business partners often
retain access to systems for long periods until all systems are updated, and
invalid user accounts proliferate.
Inconsistent policies result in inadvertently granting users access to
sensitive information (for example, human resources databases).
Systems are more vulnerable due to weak credentials, poor or no
password policies, and the large number of userids and passwords that
must be remembered by users.

Management Complexity
As modern corporations use more specialized systemssuch as network resource
directories, mail servers, human resources databases, voice mail servers, and
payroll applicationsit has become increasingly complicated to manage user
access rights. Individual divisions within an enterprise may have different processes
for requesting and provisioning resources. Furthermore, in most companies, each
system has its own tools for managing user accounts. Many require separate
passwords and processes for authenticating users. All these issues contribute to
increased IT management complexity. For example:
Disparate and diverse authentication and authorization systems must each
be managed, administered, and audited in different ways.
The proliferation of directories and other repositories of identity information
results in changes having to be made in multiple stores in multiple different
ways.
Users are frustrated because they must keep track of multiple IDs and
passwords for different applications and systems.
As companies scale their systems to service not only their employees but
also their customers and business partners via the Internet, these
challenges are further magnified.

Lowering Cost
In many organizations, each system acts as an island of special records and
database entries that must be managed individually. These systems typically have
their own definition of the users identity (name, title, ID numbers, roles, or
membership in groups). The larger the organization, the greater the variety of these
repositories and the higher the cost and effort required to keep them updated.

Windows 2000 Server White Paper 3
Line managers, IT professionals, and human resources staff devote
significant time and energy to complete forms, enter and update user data,
set up accounts, and reset forgotten passwords.
New employees and contractors often wait days to receive access to
critical applications and information while each administrator creates and
manages user credentials.

In order to overcome these challenges many customers are faced with building or
buying additional components. The ideal customer solution is one where
applications that are part of the overall corporate identity management process are
integrated with each other. This type of integration not only allows a customer to
benefit from improved security and simplified management but it further lowers cost
as no additional software or services must be purchased to help achieve these
goals.

Windows 2000 Server White Paper 4


Windows 2000 Server White Paper 5
Active Directory (AD) allows organizations to centrally manage and share
information about network resources and users. Active Directory also acts as the
integration point for bringing systems and applications - like SAP and AD - together.
SAPs integration with Active Directory allows customers to take advantage of the
key identity management benefits discussed in the previous section
Simplified management tasks
Strengthened network security
Reduced administration costs

As part of Microsofts overall identity management strategy Active Directory has
undergone SAPs SAP BC-LDAP-USR certification process. This SAP certification
indicates that Active Directory has been thoroughly tested and approved at SAPs
Integration and Certification Center (ICC) for use with the SAP and mySAP
Enterprise Portal products. Through this testing and certification, Microsoft and SAP
customers are assured to obtain:
A product technically verified to work with SAP
INTEGRATION BETWEEN
ACTIVE DIRECTORY
AND SAP
Figure 1 SAPs Interfaces to Windows and
Active Directory
Active Directory
Windows 2000 Server
Single Signon SAP
Systems
Management
mySAP
Enterprise Portal
Roles & Content
SAP
Central User
Administration
SAP GUI for
Windows
SAP .NET
Connector
Other SAP
applications
using LDAP

Windows 2000 Server White Paper 6
An interface that is ready to use and tested with a variety of product releases
Proof of verification with full documentation and a corresponding certification
test procedure
Information regarding Active Directorys certification may be found at:
http://www.sap.com/partner/software/directory/
Customers who integrate SAP with Active Directory as part of their overall identity
management strategy achieve a number of specific benefits.
Simplified Management
The SAP system can use Active Directorys service publication capability to detect
SAP R/3 systems and their services, such as the application servers, message
servers, database, gateway service, and SAP Internet Transaction Server (ITS)
instances. This enables enterprise-wide information about installed systems to be
viewed and accessed from a central location without having to manually configure
files on each server or individual workstations.
The SAP R/3 version 46C Microsoft Management Console (MMC) snap-in is the
first component to use information provided by Active Directory. In addition to
providing a central view of all SAP systems i n your landscape, the MMC snap-in
provides interfaces to monitor, stop, and start the SAP systems.
SAPGUI for Windows also uses Active Directory to obtain a list of SAP systems.
This eliminates the need for administrators and end-users to manually manage
SAP-specific files like SAPLogon.ini on each individual workstation.
By using the Active Directory Group Policy feature, administrators can update and
deploy the SAPGUI and other SAP applications to user desktops automatically. For
organizations that want to use single sign-on with SAPGUI, SAP provides a special
MSI package. This package can be automatically deployed to all relevant users
through the use of Group Policy.
SAP Central User Administration (Web Application Server version 6.10) supports
synchronization with Active Directory allowing the easy management of the
identities in your organization.
The end result is lower management and administrative costs.
Strengthened Network Security
One of the most important architectural advantages of Windows 2000 is the
integration of Active Directory and its advanced security features that enable a new
level of data protection.
SAP supports various single sign-on options for the Microsoft platform including
Kerberos, NTLM, and X.509 certificates. SAPGUI for Windows, mySAP Enterprise

Windows 2000 Server White Paper 7
Portal, SAP Internet Transaction Server, and the new SAP .NET connector support
all of these options.
Active Directory strengthens security in the SAP environment by:
Improving security and data protection SAP systems can take
advantage of the built-in Kerberos integration in Active Directory and
Windows 2000 for single sign-on. Not only is the need for a separate
SAP password eliminated, the data channel between the SAP client
and application server is automatically encrypted. Both SAP and
Microsoft provide built-in support for secure Internet-standard protocols
and authentication mechanisms such as Kerberos, public key
infrastructure (PKI), and lightweight directory access protocol (LDAP)
over secure sockets layer (SSL). This enables customers to choose the
individual level of security they require for their environment.
Reducing security risks By integrating SAP with Active Directory, a
company limits the number of repositories where trusted identities need
to be managed. As a result, IT administrators have a single procedure
for adding, removing, and managing trusted identities which reduces
the risk of unauthorized access to secure applications and data.
The end result is increased security and reduced security risks.
Makes Use of Existing Systems through Interoperability
SAP ABAP/4 programs can easily read and write information to Active Directory
using LDAP. For example, to retrieve address, user, or system data such as e-mail
addresses, fax numbers, addresses, or printers. Many SAP applications ship with
built-in Active Directory integration, including Central User Administration version
6.10 and mySAP Enterprise Portal version 5.0. mySAP Enterprise Portal version
5.0 also uses Active Directory to store user mapping information, role-to-user
assignments, and other customization attributes. These features enable customers
to immediately and easily take advantage of Active Directory as their single, multi -
purpose directory for both SAP-related and NOS information.
With mySAP.com, applications that support LDAP can access Active Directory and
use it for their storage needs. For example, various systems on different platforms
can access information using Active Directory. Likely candidates include the
following:
Personnel information (name, department, organization)
User and security information (user account, authorizations, public-key
certificates)
System resource and service information (system identifier, application
configuration, printer configuration)

The SAP HR system can use Active Directory to make personnel data in the
mySAP.com components available to other applications. Employee information that

Windows 2000 Server White Paper 8
may be of interest can be stored in Active Directory and retrieved by other
applications as necessary. For example, the HR application stores employee data
(name and position) in Active Directory. A different application, such as project
management, can access this information for its own purposes.
Each SAP system is an Active Directory-enabled client and can take advantage of
Active Directory. Information that is shared between mySAP.com and other
components can be stored in Active Directory and accessed by the various
applications. As an Active Directory-enabled client, the SAP applications have both
read and write access to the Active Directory. Therefore, information from other
systems is available to the SAP system, and SAP system data is available to other
systems.
Microsoft customers benefit from this by being able to place all information
regarding their employees, partners, and customers in a single directory repository.

Windows 2000 Server White Paper 9
Using Active Directory for SAP R/3 Systems Management
SAP systems that are registered in Active Directory can be centrally managed using
the SAP MMC snap-in.
In addition to providing system information to Active Directory, which can be used
by SAP clients such as the SAPGUI for Windows, the MMC snap-in provides
DCOM interfaces that allow system administrators to monitor and control SAP
instances centrally.
Figure 2 SAP MMC Snap-In

Windows 2000 Server White Paper 10
Some of the functions provided by the MMC snap-in include
Start and stop the SAP service
Log on to SAP systems directly from the MMC snap-in
View profiles and traces
Read the system log
Receive alerts
Integrate directly with SAP CCMS
Start and stop SQL server
Back up and restore SQL server

During R/3 setup, the setup tool offers automatic schema installation for Active
Directory and enables automatic registration during installation.


Figure 3 SAP R/3 Setup Screen

Windows 2000 Server White Paper 11
Active Directory and the SAPGUI
Starting with SAP R/3 version 46D, the SAPGUI can be configured to find R/3
systems and its message servers from Active Directory instead of using a fixed list
of systems and message servers stored and maintained in SAP configuration files.
If the SAPGUI is configured to use Active Directory, it will query Active Directory
each time server or group selection is used to obtain up-to-date information about
R/3 systems.
SAPGUI components, such as single sign-on, can be deployed via the Group Policy
feature of Active Directory. SAP provides an MSI installer package for deployment
of the SAPGUI with single sign-on (SAPSSO.MSI). By using this MSI file an Active
Directory administrator can enable automated deployment of the SAPGUI software
to Windows-based users that require it.

Windows 2000 Server White Paper 12
Using Active Directory with Central User Administration
SAP Central User Administration (CUA) 6.10 allows the administration of the whole
system landscape from a central point. All identity data can be maintained centrally;
while still allowing for local maintenance.

Figure 4 Configuring Active Directory Synchronization in SAP

Windows 2000 Server White Paper 13
mySAP Enterprise Portal unifies the applications, information, and services in an
enterprise into one system. It is a personalized, interactive gateway providing
employees, partners, suppliers, and customers with a single point of access.
mySAP Enterprise Portal can be accessed through multiple devices from anywhere
and at anytime. It delivers relevance to the user, eliminates traditional barriers to
productivity, and dramatically accelerates business throughput.
SAP also offers portal content specifically targeted to the users function within an
organization. SAP Business Packages streamline access to the business processes
that users inside and outside of the enterprise need most since they are tailored to
the users specific roles and responsibilities. The Business Packages have been
designed based on considerable SAP experience and provide increased efficiency,
timely decisions, and improved customer service.
mySAP Enterprise Portal uses Active Directory in two waysas the Corporate
Directory or the Portal Directory. Active Directory is approved and supported by
SAP for use in either of these roles.
mySAP Enterprise Portal makes use of users and groups stored in Active Directory.
No changes are required to Active Directory since the configuration and mapping
are done within mySAP Enterprise Portal User Management Configuration.
When using Active Directory as the Portal LDAP directory there is a requirement
that the schema of Active Directory by adding several new object classes. In
addition, three new organizational units need to be created in Active Directory.


ACTIVE DIRECTORY and
mySAP ENTERPRISE
PORTAL

Windows 2000 Server White Paper 14
SAPGUI for Windows
SAPGUI for Windows can use Kerberos authentication via the SAP GSS library
(gsskrb5.dll) in addition to NTLM authentication. When the gsskrb5.dll is installed
with the SAPGUI along with the SNC_LIB environment variable, the SAPGUI will
enable single sign-on with Windows such that an end-users Windows credentials
are used to access SAP without the requirement for an additional userid and
password that is specific to SAP. The GSS library also provides for data encryption
between the SAPGUI and the SAP Application Server. To assist in rolling out single
sign-on, SAP provides an MSI package called SAPSSO.MSI.
The Kerberos SNC name in SAPGUI is the SNC name of the SAP application
server service user. The SAP service will use PKI technologies to validate the
identity of the client so no password is required.

Figure 5 SAP Single sign-on Support

mySAP Enterprise Portal also supports various single sign-on options including
Kerberos, NTLM and X.509 certificates.

SINGLE SIGN-ON WITH THE
WINDOWS PLATFORM

Windows 2000 Server White Paper 15
SAP .NET Connector (Windows Clients and Web Scenarios)
The .NET connector makes it easy to extend the functionality of your SAP system
with .NET functionality. The SAP .NET connector has built-in support for single
sign-on scenarios, including authentication by X.509 certificates, Kerberos, and
external authenticators like Microsoft Passport.


Figure 6 Microsoft Visual C# Project
The .NET connector supports all of the SAP single sign-on mechanisms including
Passport, ASP.net login forms, etc. Developers can easily add support for Active
Directory and single sign-on within SAP application programs.
Support for various single sign-
on options in the
SAPLogonDestination object,
a part of the SAP .NET
connector

Windows 2000 Server White Paper 16
Today, every company is concerned about reducing costs. Deploying ERP,
portal and other related systems is a step that many companies take towards
that goal. However, in many cases, there is an additional burden in product and
services costs related to integrating these systems with other identity-centric
systems within the organization. This is the identity management challenge.
The integration of SAP products with Active Directory enables a customer to
solve these identity management challenges so they can achieve even further
cost reductions through strengthened security, increased manageability and
lowered administration costs. Additionally, customers avoid the costs related to
acquiring products and services to integrate their SAP systems within the
Windows environment that enterprise integration now comes built in.

CONCLUSION

Windows 2000 Server White Paper 17
The following documents were used in preparing this white paper.
SAP R/3 Installation on Windows 2000: MS SQL Server
http://service.sap.com/InstGuides
Secure Network Communications, SNC User Guide version 1.2
http://service.sap.com/~form/sapnet?_FRAME=CONTAINER&_OBJEC
T=011000358700001270931999E
SAP R/3 System Information in Directory Services (Randolf Werner, Basis
Development (MS Platforms) 11.June 2002
http://service.sap.com/~form/sapnet?_FRAME=CONTAINER&_OBJEC
T=011000358700006159742000E
Pluggable Authentication Service (PAS) for External Authentication
Mechanisms
http://service.sap.com/~form/sapnet?_SHORTKEY=011000358700000
38605&
Single Sign-On in the mySAP.com Workplace
http://service.sap.com/~form/sapnet?_FRAME=CONTAINER&_OBJEC
T=011000358700005479221999E
Installing Enterprise Portal, Enterprise Portal 5.0 SP3
http://service.sap.com/~sapidb/011000358700002088922002E/EP50_
SP3_ROAD.HTM#Installing1
R/3 Directory Connection, LDAP Manual Version 1.0
http://service.sap.com/~form/sapnet?_FRAME=CONTAINER&_OBJEC
T=011000358700000096622002E
SAP .NET connector documentation
http://service.sap.com/connectors
Active-Directory enabled SAP using LDAP Realtech
http://www.realtech.de/germany/html/d_consulting/2_web_middleware/AD
S/ADS_und_SAP.html
Directory Services with mySAP.com
Seamless Information Sharing Among Participating Applications
New Features in SAP Central User Management Boris Koerble
SAP Trust Center services in detail
https://websmp204.sap-
ag.de/~sapidb/011000358700007992392000E/TCSINDETAIL.HTM
HR Data Retrieval in an LDAP-Enabled Directory Service (service
mktplace)
https://websmp201.sap-
ag.de/~form/sapnet?_FRAME=CONTAINER&_OBJECT=01100035870000
1865612002E
REFERENCES

Windows 2000 Server White Paper 18
The following references include more information about mySAP Enterprise
Portal use of Active Directory.
For online help for the portal including administration and installation
documentation, see http://help.sap.com (Enterprise portal)
For installation and additional documentation on the portal (an SAP service
marketplace user account is required for access), see
http://service.sap.com/epinst

For support articles and tips on using directory with mySAP Enterprise
Portal, see http://service.sap.com/notes.
See also: Note: 504551 - EP 5.0: SSL to LDAP directory servers and
MS ADS Support; Note: 448828 - EP 5.0: Central Note for EP-PIN-
USM (User Management); Note: 518259 - EP 5.0: Using MS ADS as
your Portal LDAP Directory
For the Active Directory home page, see
http://www.microsoft.com/activedirectory
For Active Directory support information, see
http://support.microsoft.com
For details on how to create organizational units in Active Directory,
see Step-by-Step Guide to Managing Active Directory
http://www.microsoft.com/windows2000/
techinfo/planning/activedirectory/
manadsteps.asp
Additional References
For more information on using the LDIFDE Tool to extend the AD Schema, see
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/wss/wss/sgw_install_ldifde.asp
For more information on using the AD Schema extension snap-in, see
http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/WINDO
WS2000/en/advanced/help/sag_ADschemaNotThere.htm
For more information on Active Directory support tools, see
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/WINDOWS
2000/en/server/help/sag_ADcmdTools.htm
For more information on Windows 2000 Server documentation, see
http://www.microsoft.com/windows2000/en/server/help/default.asp
For more information on SAP Central User Administration, see the documentation
on SAP Service Marketplace under alias SystemsManagement > Directory
Access Services.