Does the Microsoft ERP MA from Microsoft support password synchronization? My immediate answer is yes, however there are a few things you need to consider. Most of all, the reason for this is that the documentation is pretty cryptic in itself and unless you are on a SAP project or have a development environment available, being able to test this yourself can be challenging.
According to the ERP MA README.htm, only "administrative password reset" operations are supported. Now, referencing the PCNS technical material, I found the definition as follows:
"An automated password synchronization solution in ILM allows users to change their passwords in all connected data sources that are configured for automated password synchronization. Typically, users can press CTRL+ALT+DEL on the keyboards to initiate a password change.
This is a password change operation, not a password set or reset operation. For a password change operation, a user must know the previous password when attempting to change passwords. For a password set or reset operation to occur, a user does not have to know the previous password to set or reset the password to a different value. The automated password synchronization solution is a password change operation because users know the previous password."
Well, this is a question that comes up a lot and this post should provide you with an idea of how to sync passwords between SAP and AD. An article I'd like to credit is the thread between Markus and Peter regarding this topic. Here Peter talks on a method similar to what I've run into.
My experience is initially, it seemed like password synchronization would work out-of-box; however an issue I ran into was that whenever a system administrator assigns a new password to users, the new password is marked as "initial." Users have to change their initial passwords at first logon. Apparently, I though you could simply just turn this option off. According to the SAP Knowledge Warehouse, you have to modify the SAP User Management Engine (UME) properties using their Config Tool. (Your SAP Admin should be familiar with this and provide feedback.) The setting you modify is the ume.logon.security_policy.password_change_required to reflect, False (not to require a password change at first logon). Well, the final solution resulted in creating a new SAP BAPI, similar to what Peter did. (Thanks Franciso Corona for confirming!) From there, as long as the password policies aren't conflicting each other, you should be good.
Other obstacles I’ve run into that have prevented me from syncing passwords are the policy limitations applied in SAP. Depending on version, the following rules may apply:
- Passwords must be 3-8 characters long.
- Passwords cannot begin with 3 identical letters
- Passwords cannot begin with a “?” or a “!” or a space.
- Passwords cannot be identical as the previous passwords used
- Passwords cannot be “SAP” or “Pass”
- Passwords cannot begin with the first letters of your name.
Most typically, by leverage AD as an authentication provider, this would get you the closest to achieving true single sign-on; however we understand that isn’t the case in many scenarios.
If you are running SAP on Windows, SAP GUI can be configured to authenticate against AD (including Kerberos SSO without any 3rd party vendors). This does not apply to UNIX; here you would need something like Centrify.
If you are just using SAP Enterprise Portal and IViews, SAP Portal can be configured to authenticate against AD or ADAM.
