Use the following procedure to map a SAP account to an Active Directory account.
Creating and using a service account for the SAP service
Enabling SNC on the SAP server
Configuring a SAP user to enable SNC authentication
Installing Safeguard Authentication Services Single Sign-on for SAP
Deploying Single Sign-on for SAP through Group Policy
Configuring the SAP GUI client on Windows XP
Configuring the SAP GUI client on Windows Vista and above
Prompting for user name and password
Enabling authentication prompts
Configuring SAPlpd on the front-end system
Before you can configure your SAP Server, you must have Safeguard Authentication Services installed on your Unix server and joined to the Active Directory domain. Refer to the Safeguard Authentication Services product documentation for instructions on how to install and join the domain.
Single Sign-on for SAP supports the SAP GUI on Windows XP, 2003, Vista, 2008, 7, and 2008 R2.
For a complete list of supported Unix and Linux platforms, see the Safeguard Authentication Services Installation Guide or Release Notes.
One Identity recommends the steps described in this section as a best practice for defining a distinct service account for SAP authentication.
Active Directory service accounts provide a means for authenticating and managing services and rights to access host resources. When you create a service account, it generates a random password for the account and a Kerberos keytab for the service. The previous section described a configuration where SAP uses the host keytab, while this section describes the recommended configuration where SAP uses a service account.
Each service account has a KRB5 Principal Name (KPN) and an optional set of Service Principal Names (SPN’s). The KPN is the sAMAccountName of the service account (case sensitive) including the domain in the form "sAMAccountName@realm". The keytab file is created in the Safeguard Authentication Services configuration directory at /etc/opt/quest/vas. The default permissions on the keytab file are 0600 and the file is owned by root. You must update the ownership of the file so that the service has rights to read from the keytab file.
To create and use a Service Account for the SAP Service
vastool –u Administrator service create SAP/
This command creates the /etc/opt/quest/qas/SAP.keytab file. Administrator, is the name of the Active Directory user with administrative privileges to create a new service account. The user is prompted for their Active Directory password.
vastool -u administrator setattrs SAP/ userAccountControl 66048
chmod 640 /etc/opt/quest/vas/SAP.keytab
Change the group ownership of the keytab to the sapsys group, by entering:
chgrp sapsys /etc/opt/quest/vas/SAP.keytab
where example.com is the name of the domain to which the R3 server is joined.
You can obtain the sAMAccountName of the service account by running the following command:
vastool -u host/ attrs -q SAP/ sAMAccountName
For example, in ~<instance>adm/.cshrc add the following:
setenv KRB5_KTNAME /etc/opt/quest/vas/SAP.keytab
© ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center