Single Sign On for SAP: Changing the Active Directory UPN from SamAccountName@AD_Domain_FQDN to match a user's email address (FirstName.LastName@domain.com) is resulting in SSO login failures. (4256261)

Single Sign On for SAP: Changing the Active Directory UPN from SamAccountName@AD_Domain_FQDN to match a user's email address (FirstName.LastName@domain.com) is resulting in SSO login failures.

Single Sign On for SAP: Changing the Active Directory UPN from SamAccountName@AD_Domain_FQDN to match a user's email address
(FirstName.LastName@domain.com) is resulting in SSO login failures.

Microsoft convention issue.

VAS and SAP SSO - What value do I use in the SNC name mapping?

When configuring SAP to use Kerberos SSO via the Quest SAP SSO dll, the documentation states that we should use the Active Directory UPN (User Principal Name) as the "SNC name" when configuring the "SAP user" -> SNC user mapping.

This may not always work for all implementations of Active Directory

If the UPN and sAMAccountName differ it is possible that the KDC (Key Distribution Centre) will grant service tickets to clients in the following form:

sAMAccountName@<domainname>

It may ALSO provide a ticket for UPN, but this does not appear to be consistent.

Change the SAP configuration to use the sAMAccountName@<domainname> form.

The important factor to note is that the value entered into SAP matches the name presented in the service ticket. One can check this using the "kerbtray.exe" utility.