In my recent SDN blog

I provided an overview about the options to achieve single sign-on for SAP NetWeaver Application Server based systems that reside in Microsoft environments

One option mentioned there was the usage of X.509 certificates that can automatically be issued to end users and distributed to their computers with the help of Microsoft Active Directory.

Another reason why I am writing this blog is that in the meantime SAP IT has successfully implemented the X.509 certificate autoenrollment capabilities of Microsoft Active Directory.

We are thus using this technology at SAP internally.

If we look at the three options to achieve Single-Sign On in Microsoft environments the first option of using SAP Logon Tickets has the advantage that SAP Logon Tickets are supported for all scenarios. You need however a ticket issuing instance which is especially a problem for .NET based Web Service Clients because in contrast to the usage of SAML scenarios the developer has to take care him- or herself how to get the SAP Logon Ticket into the request.

While SAML is the recommended way for the current and upcoming releases it cannot be used for older releases.

In contrast to this X.509 Certificates can be used to achieve Single Sign-On for Browser and web service based access to SAP Systems that are either based on ABAP and Java for current releases as well as for older releases.

The setup of a PKI infrastructure is usually seen as very cumbersome and expensive task. Automatic enrollment of user certificates using Microsoft Active Directory however provides a quick and simple way to issue X.509 certificates to users and to enable single sign-on using a public key infrastructure (PKI). It minimizes the high cost of normal PKI deployments and reduces the total cost of ownership (TCO) by providing Single Sign-On for an SAP NetWeaver system landscape leveraging the resources of an existing Microsoft Active Directory infrastructure.

Because of this SAP IT decided to implement X.509 Certificate Auto Enrollment. Mid of this year SAP IT has thus replaced its existing PKI Infrastructure through X.509 certificate auto enrollment using Microsoft Active Directory.

It is since then there is a real Single Sign-On because in contrast to the old solution users do not have to enter an additional password to leverage their X.509 certificate after having successfully logged on to Active Directory. The certificate is now automatically copied to the local certificate store on a user's client. This local store is an encrypted store for certificates on Windows clients and contains personal and public root certificates.

The secure storage of X.509 certificates in Microsoft Active Directory offered the following additional benefits:

• High performance because data is retrieved from a local domain controller rather than from a central CA

While the initial setup for an ABAP server to accept X.509 certificates is one time effort there are ongoing tasks that have to be performed by the SAP administrator because the SAP user accounts have to be mapped to their X.509 certificates.

1. Transaction EXTID_DN
   
   using transaction EXTID_DN or SM30 it is possible to map single entries in table VUSREXTID. Transaction EXTID_DN now also offers the option of a file upload.
2. certmap service
   
   

Best Regards,

André