Configuring the UME when Using ADS Data Sources for Kerberos 
Use this procedure to configure the data source configuration file used by the user management engine (UME), to enable Single Sign-On (SSO) with Kerberos and an Active Directory Server (ADS). The configuration varies depending on the user resolution mode that the UME uses to resolve the user account in the ADS.
This procedure assumes the UME uses a single ADS data source. If the UME uses multiple ADS data sources, you change the UME configuration as described below for every ADS data source configured in the UME. If the data sources are not mutually trusted in a directory forest, you can create separate Kerberos configurations for each data source and have a separate logon URL for each ADS domain.
Procedure
Choose the user resolution mode that best matches your configuration from the table below.
User Resolution Modes and When To Use Them User Resolution Mode
When To Use
Prefix-based
RecommendationWe recommend that you use this mode when the UME is configured to use an ADS data source.
End of the recommendation.Use this mode to use multiple Kerberos realms.
None
Use this mode only if the user's logon ID corresponds to the Kerberos Principal Name (KPN). If the logon ID corresponds to the samaccountname attribute in the Active Directory, use either the simple or prefix-based user resolution mode.
Simple
Use simple mode only if the User Principal Name (UPN) is the same as the KPN.
Create and map any user attributes in the UME data source configuration file for ADS, as required by your user resolution mode.
For more information, see Customizing UME Data Source Configuration.
Prefix-based
Make the following changes to the data source configuration file of the UME.
Define the attributes kpnprefix, krb5principalname, and dn in the responsibleFor section.
Map kpnprefix to physical attribute samaccountname.
Map krb5principalname to the physical attribute userprincipalname.
Map dn to physical attribute distinguishedname.
None
You do not need to customize the data source configuration file of the UME.
Simple
Make the following changes to the data source configuration file of the UME.
Define the attribute krb5principalname in the responsibleFor section.
Map the attribute krb5principalname to the physical attribute userprincipalname.
Use the service user ID and password that you created on the ADS to connect the UME to the ADS data source.
For more information, see Configuring the UME to Use an LDAP Directory as Data Source.
Example
Syntax
This example shows how to define attributes in the responsibleFor section of the data source configuration file.
<responsibleFor> ... <principal type="user"> <nameSpaces> <nameSpace name="com.sap.security.core.usermanagement"> <attributes> <attribute name="firstname" populateInitially="true"/> ... <attribute name="kpnprefix"/> <attribute name="prb5principalname"/> <attribute name="dn"/> </attributes> </nameSpace> </nameSpaces> </principal> ... <responsibleFor>
Syntax
This example shows how to map the attributes to the corresponding physical attributes.
<attributeMapping> <principals> <principal type="account"> <nameSpaces> ... </nameSpaces> </principal> <principal type="user"> <nameSpaces> <nameSpace name="com.sap.security.core.usermanagement"> <attributes> <attribute name="firstname"> <physicalAttribute name="givenname"/> </attribute> ... <attribute name="kpnprefix"/> <physicalAttribute name="samaccountname"/> </attribute> <attribute name="prb5principalname"/> <physicalAttribute name="userprincipalname"/> </attribute> <attribute name="dn"/> <physicalAttribute name="distinguishedname"/> </attribute> </attributes> </nameSpace> </nameSpaces> </principal> </principals> </attributeMapping>