Hello Manuell,
The SAP Single Sign-on (Secure Login Server and Secure Login Client) can be also a solution to this problem.
He can:
1. Authenticate with SPNEGO (automatic) or direct against a Active Directory(username/password)
2. use the username (without the domain part) to generate a X.509 certificate
3. use this certificate in following authentication requests against ABAP/Portal.
Customers with inhomogenious user names take this approach because the user mapping configuration is done over the Active Directory.
Alternative if the user name of the Active Ditrectory users does not match a pattern, a entry in the users Active Directory entry can be used to generate another username from a LDAP attribute (LDAP User Mapping feature).
There are many flexible ways to generate user names here (padding etc).
Take a look into the documentation (chapter 5.6.1 following ): http://scn.sap.com/docs/DOC-40145
best regards
Alexander Gimbel