factsheet_Active 21.08.

2002 11:31 Uhr Seite 1

TECHNICAL FACT SHEET

Active Directory Integration and

mySAP.com™
The Active Directory™ Service is a central component of the Windows® 2000
operating system platform. Today, networked computing is more important
than ever for businesses to remain competitive. As a result, modern operating
systems require mechanisms for managing the identities and relationships of
the distributed resources that make up network environments. A directory
service provides a place to store information about network-based entities,
such as applications, files, printers, and people. It provides a consistent way
to name, describe, locate, access, manage, and secure information about
these individual resources.

Further, a directory service acts as the
main switchboard of the network operating
system. It is the central authority that
manages the identities and brokers the
relationships between these distributed
resources, enabling them to work together.
Because a directory service supplies these
fundamental network operating system
functions, it must be tightly coupled with
the management and security mechanisms
of the operating system to ensure the
integrity and privacy of the network. It also
plays a critical role in an organization's
ability to define and maintain the network
infrastructure, perform system administra-
tion, and control the overall user experience
of a company's information systems.
Active Directory integration with
mySAP.com offers customers many advan-
tages.
■ Simplifies management tasks
■ Strengthens network security
■ Makes use of existing systems through
interoperability
Single Sign on SAP System
Management
SAP Central user
Administration
1. Simplifies management tasks: Integration Highlights
The mySAP.com system can use directory ■ Using SAP Central User Account
services to detect SAP R/3 systems and Management in conjunction with
their services such as the application Active Directory enhances security
servers, message servers, database, concepts
gateway service, and ITS instances. This
enables enterprise-wide information about ■ Active Directory for both the
installed systems to be viewed and "Corporate" and the "Portal"
accessed at a single central location. directory server saves management
The SAP R/3 Version 4.6 C MMC snap-in and implementation costs
is the first component to use information
provided by directory services. In addition ■ SAP systems can share information
to providing a central view of all SAP with other systems by using the SAP
systems in your landscape, the MMC LDAP connector
snap-in provides interfaces to stop/start
and monitor the systems. SAPGUI for ■ SAP LDAP connector enabled SAP
Windows can use the Active Directory programs can read information from
server to obtain a list of SAP systems. This and write information to Active
saves the trouble of having to manually Directory
maintain SAP destinations and files like
SAPLogon.ini.
Using the Active Directory group policy
feature, administrators can update and
deploy the SAPGUI and other SAP appli-
cations to user desktops. For organizations
wishing to use Single sign on with SAP
GUI, a special MSI package is delivered
by SAP. This package can be automatically
deployed to all relevant users automatically.
SAP Portal roles
and context

Microsoft Active Directory

SAPGUI for LDAP connector

Windows
SAP.NET
connector
factsheet_Active 21.08.2002 11:31 Uhr
TECHNICAL FACT SHEET
Active Directory Manageability
■ Active Directory centrally manages
Windows users, clients and servers
through a single consistent
management interface, reducing
redundancy and maintenance
costs
■ Group Policy allows administrators
to define and control the policies
governing groups of computers
and users within their organization
■ Active Directory lets administrators
automatically distribute applications
to users based on their role in the
company
■ Active Directory Service Interfaces
greatly simplifies the development
of directory-enabled applications,
as well as the administration of
distributed systems
Active Directory Security
■ Supports logon via smart cards for
strong authentication to sensitive
resources
■ Full support for Kerberos 5 protocol
provides fast, single sign-on to
Windows 2000-based resources,
as well as to other environments
that support this protocol
■ Support for x.509 certificates and
public key infrastructure (PKI)
ensures interoperability with and
deployment of extranet and
e-commerce applications.
Seite 2
Using Active Directory with Central
User Administration 6.10
SAP Central User Administration (with
Web Application Server 6.10) allows the
administration of the whole system land-
scape from one single central system. All
user data is maintained centrally although
local maintenance is still possible.
Central User Microsoft Active
Administration Directory Services
LDAP
synchronization
mySAP.com Applications:
R/3, CRM, BW
In Central user administration, the SAP
HR system can use directory services to
make personnel data in the mySAP.com
components available to other appli-
cations. Employee information that may
be of interest can be stored on the
directory server and retrieved by other
applications as necessary. For example,
the HR application stores employee data
(name and position) on the directory
server. A different application such as
project management can access this
information for its own purposes.
Microsoft Active Directory is SAP
BC-LDAP-USR certified
SAP certification indicates that the third-
party interface has been tested for
quality and approved at one of SAP’s
Integration and Certification Centers (ICC).
Customers are assured to get:
■ A product technically verified to work
with SAP Business integrations,
■ An interface that is ready to use and
release-stable,
■ Proof of verification with full documen-
tation and a corresponding certifica-
tion test procedure.
Using the Active Directory with
SAPGUI
SAPGUI (version 4.6D and above) can be
configured to find SAP R/3 systems and
its message servers from the directory
instead of using a fixed list of systems
and message servers in the sapmsg.ini
configuration file. If SAPGUI is configured
to use the LDAP directory, it will query
the directory each time Server or Group
selection is used to get up to date infor-
mation about SAP R/3 systems.
2. Strengthens Network security:
One of the most important architectural
advantages of Windows 2000 Server is
the integration of Active Directory and its
advanced security features that enable a
new level of data protection.
Single Sign-On for seamless and secure
network authentication
SAP supports various single sign-on
options for the Microsoft platform includ-
ing Kerberos, NTLM and X.509 certificates.
These single sign on options are
supported by the SAPGUI for Windows,
the mySAP™ Enterprise Portal, SAP
Internet Transaction Server and the new
SAP.NET Connector.
The following are some of the ways in
which Active Directory strengthens security
in an SAP environment:
■ It improves password security and
management – SAP systems can take
advantage of the built-in Kerberos
integration in Active Directory. Not only
is the need for a separate SAP pass-
word eliminated but the data channel
between the SAP client and application
server is encrypted.
■ It speeds e-business deployment –
Both SAP and Microsoft are committed
to providing built-in support for secure
Internet-standard protocols and
authentication mechanism such as
Kerberos, public key infrastructure
(PKI) and lightweight directory access
protocol (LDAP) over secure sockets
layer (SSL).
factsheet_Active 21.08.2002 11:31 Uhr
3. Makes use of existing systems
through interoperability:
Using the SAP LDAP connector, SAP
ABAP/4 programs can read and write
information in Microsoft Active Directory
for example to retrieve address, user or
system data such as email addresses,
fax numbers, addresses or printers. Many
SAP applications now ship with built in
directory integration including Central
User Administration version 6.10 and the
mySAP Enterprise Portal version 5.0.
Using Active Directory with mySAP
Enterprise Portal
mySAP Enterprise portal version 5.0
uses Active Directory to store user
mapping information, role-to-user assign-
ments and other customization attributes.
Microsoft encourages SAP customers to
use Active Directory for all of their mySAP
Enterprise Portal directory requirements.
mySAP Enterprise Portal uses a directory
in two capacities. These are referred to
as the Corporate Directory Server and
the Dedicated (or Portal) Directory Server.
These directories are independent. Using
Microsoft Active Directory for both the
"Corporate” and the "Portal” directory
server will save management and
implementation costs.
Active Directory as the Corporate LDAP
mySAP Enterprise Portal makes use of
users and groups stored in the corporate
LDAP directory. No changes are required
to Active directory as the configuration
and mapping is done within the mySAP
Enterprise Portal User administration tool.
Portal
Directory
Single
Authentication Sign on
Windows 2000
Domain
Datacenter
Corporate
Directory
Seite 3
TECHNICAL FACT SHEET
Active Directory as the Portal LDAP
The Portal LDAP will extend the schema
of Active directory by adding several new
object classes. Before you can begin you
must configure Active Directory to allow
schema modifications. This is done within
the Active Directory Schema MMC snap- Active Directory Interoperability
in.
Using Active Directory with LDAP ■ Active Directory is implemented as
Connector a native LDAP server that doesn't
require request translation to
With mySAP.com, applications that support ensure interoperability in extranet
the standard Internet protocol LDAP can environments and e-commerce
access directory services and use them applications
for their storage needs. For example,
various systems on different platforms ■ Active Directory lets developers
can access information using a common and administrators extend the
directory service. Likely candidates for directory schema and create new
application scenarios include: properties and objects. Using the
directory as a data store, devel-
■ Personnel information opers can use this feature to
(name, department, organization) create their own data structures
■ User and security information (user for applications
account, authorizations, public-key
certificates)
■ System resource and service informa-
tion (system identifier, application
configuration, printer configuration).
Each SAP system is an LDAP client and
can take advantage of the LDAP directory
server concept. Information that is shared
between mySAP.com and other
components can be stored on an LDAP
directory server and accessed by the
various applications. As an LDAP client,
the SAP applications have both read and
write access to the LDAP directory server.
Therefore, information from other
systems is available to the SAP system,
and SAP system data is available to other
systems.
R/3
System 1
R/3
System 2
others
factsheet_Active 21.08.2002 11:31 Uhr Seite 4

Microsoft SAP Competence Center

in Walldorf, Germany:
Email: mssapcc@microsoft.com
Phone: +49 (0) 6227 73 17 10
http://www.microsoft-sap.com