Cancel
Showing results for 
Search instead for 
Did you mean: 

Kerberos SSO RAC with registry key AllowTGTSessionKey

Experimenter
Experimenter

Our Teamcenter enviroments are:

  • TC10.1.2.2
  • .Net server manager
  • IIS
  • TcSS on Tomcat (ISAPI connector configured in IIS for login service)
  • JRE1.7.45

Applet Free SSO is working well for our production, now I'm working on the Kerberos zero sign-on solution.

After setup per the TC documentation, the web client is working well without any prompts. But RAC 4 tier client always get the password window, the zero sign-on only works when we set the registry key AllowTGTSessionKey to 1, as suggested in a live session with Siemens PDs for the IR I raised to GTAC.

kerberos_password_window.png

 

I also tested with JRE1.8.121, still have to set the registry key.

I can't find this registry key in any GTAC links or any discussions in this forum.

Does anyone have any ideas of it? Is the registry key a MUST for the Kerberos zero sign on?

 

 

12 REPLIES 12

Re: Kerberos SSO RAC with registry key AllowTGTSessionKey

Phenom
Phenom

Hello @Kalen,

 

I have been struggling with applet-free sso configuration for a while with no success.

It would be a great help if you can share your steps/documentaion.

Thanks!

Re: Kerberos SSO RAC with registry key AllowTGTSessionKey

Solution Partner Phenom Solution Partner Phenom
Solution Partner Phenom
Highlighted

Re: Kerberos SSO RAC with registry key AllowTGTSessionKey

Experimenter
Experimenter

Hello @xplm2005,

I setup the applet free SSO based on this GTAC document https://solutions.industrysoftware.automation.siemens.com/docs/newsletter/tc-applet-freesso-without-... and the official help document "Security Services Installation/Customization".

Re: Kerberos SSO RAC with registry key AllowTGTSessionKey

Experimenter
Experimenter

Hello @ArdenBedell,

Thanks for your reply.

I have read this article before and tested that as the local administrator, even you set this registy key, you will still get the password window because you can't get the session key for the tickets as stated in that article.

But in my case, it's a normal user, not a local admin.

Re: Kerberos SSO RAC with registry key AllowTGTSessionKey

Phenom
Phenom

Hello @Kalen

 

Thanks for your response. I have some questions, but they are not related to this post, so I sent you a private message. Thanks!

Re: Kerberos SSO RAC with registry key AllowTGTSessionKey

Solution Partner Phenom Solution Partner Phenom
Solution Partner Phenom

Kalen,

I found one PR, #7960454, on the GTAC solutions site that was entered yesterday, and it says it's under investigation. I guess we'll have to wait to see what the result is.

Arden Bedell | Teamcenter Wonk | Applied CAx, LLC

Re: Kerberos SSO RAC with registry key AllowTGTSessionKey

Experimenter
Experimenter

Hi Arden,

Yes, I'm discussing it with a Siemens SME who helped covert my IR to a security PR. 

And I was told some customers who're running Kerberos SSO didn't encounter this issue ever.

So I posted here and want to know if anyone of you got the same issue.

Re: Kerberos SSO RAC with registry key AllowTGTSessionKey

Experimenter
Experimenter

Hi..

 

As per the document ,Applet free SSO does not work with 2 tier RAC and Thin CLient. Does that mean we cannot login at all or we can login but the session window will be opened?

Re: Kerberos SSO RAC with registry key AllowTGTSessionKey

Solution Partner Esteemed Contributor Solution Partner Esteemed Contributor
Solution Partner Esteemed Contributor
@KK1231, The thin client (webclient) is dead. SSO depends on a web tier which 2tRAC skips. I believe it means that you will be prompted for your password to login and not that it will suddenly run the non-applet free version.

BTW, Kerberos is more secure than SSO applet.

Randy Ellsworth, Teamcenter Architect, Applied CAx, LLC
NX 11 | SW 2016 | Creo 4 | TcUA 11.4
Evaluating: AW 3.4