Show TOC

Configuring the UME when Using Non-ADS Data SourcesLocate this document in the navigation structure


Use this procedure to modify the user management engine (UME) for the use of non Active Directory Server (ADS) data stores with Kerberos authentication.


Using Kerberos for Windows integrated authentication with non-ADS data sources on SAP NetWeaver Application Server (AS) Java can lead to security vulnerabilities due to the inconsistency of user data. The reason is that the source of authentication, the Windows domain controller (DC) acting as a key distribution center (KDC), can use a user store that is different from the user repository of the AS Java. For example, Joe in the KDC and Joe in an ABAP user repository for the AS Java may not be the same physical person, and there may not even be a Joe in the ABAP system. Therefore, we recommend that you use a single data source or regularly synchronize the user information, if you use multiple data sources.


For this scenario, the use the simple resolution mode.


Add a custom user attribute to the AS Java user profile.

The user attribute must have the following attributes:

  • The name of the attribute must be krb5principalname .

    This attribute is used for resolving the user from the Kerberos principal name (KPN).

  • The attribute must be administrator-managed.

For more information, see Adding Custom Attributes to the User Profile .