Entering content frameProcess documentation Authentication Using Windows NTLM Locate the document in its SAP Library structure

Purpose

With this PAS option, the user is authenticated using the Windows NTLM protocol, which takes place between the user’s Web browser and the Web server. The user's Windows ID is then passed to the SAP system using the PAS service. The user’s SAP system ID is obtained from the mapping table USREXTID in the SAP system and a logon ticket is created for the user. Single Sign-On is then available to additional SAP services using the logon ticket.

Prerequisites

For the prerequisites for using Windows NTLM authentication for PAS, see the following topics:

Process Flow

See the graphic below:

Using Windows NTLM Authentication

This graphic is explained in the accompanying text

The user must be logged onto the Windows domain. The process is then as follows:

  1. The user accesses the PAS service for using Windows NTLM authentication (for example, sapntauth).
  2. The Web server authenticates the user using the Windows NTLM protocol between the Web browser and the Web server. If successful, the Web server provides the user’s information (<Windows_domain>\<Windows_user_ID>) to the WGate.
  3. The WGate passes this information to the PAS service on the AGate, which passes it on to the SAP system application server.
  4. The SAP system searches for a matching user ID in the user external ID mapping table.
  5. If successful, the PAS creates a logon ticket for the user, which it sets in the user's Web browser.
  6. The PAS redirects the user to the designated service (for example, myservice).

Result

No user ID and passwords entries are necessary for accessing the SAP system.

When the user accesses further SAP services, the logon ticket is used for Single Sign-On access.

Leaving content frame