Cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Re: Kerberos SSO RAC with registry key AllowTGTSessionKey

Solution Partner Esteemed Contributor Solution Partner Esteemed Contributor
Solution Partner Esteemed Contributor
I have not found any limitations using IIS for Kerberos authentication. My setup uses IIS, ISAPI Redirector (Jakarta) and Apache Tomcat. Yes, I needed to set the "allowtgtessionkey" registry change on each client machine and I had to install TCCS for supporting multiple environments (Prod, Test, Dev) a.k.a. configurations.

I did encounter some users that were prompted for their password despite all these settings being correct and confirmed. The work-around was to have them retrieve the credentials manually first (one time action). Then the creds were cached and they were not prompted for their password anymore. Here's the steps...

Open a command window:
"%JRE_HOME%\bin\kinit" myusername@MYDOMAIN.COM
Enter your password
New ticket is stored in cache file C:\Users\myusername\krb5cc_myusername

The myusername is the same user name logging into Teamcenter and the domain name MUST be capitalized.

After running that command then the affected user could log into Teamcenter without prompts and they did not need to repeat it. Note: this is user AND machine specific.

Randy Ellsworth, Teamcenter Architect, Applied CAx, LLC
NX 11 | SW 2016 | Creo 4 | TcUA 11.4
Evaluating: AW 3.4

Re: Kerberos SSO RAC with registry key AllowTGTSessionKey

Valued Contributor
Valued Contributor

Hello Randy,

 

I had same issue with same configuration. IIS for Kerberos authentication. My setup also uses IIS, ISAPI Redirector (Jakarta) and Apache Tomcat8.0

 

The kerberos ticket is not valid for more than10 hrs so user has to generate krb ticket again, which is not suitable.

 

I found the root cause in my configuration, Tomcat was not able to handle the ticket size ( even after adding allowtgtsessionkey) so added below entries on all client PC and it started working without any issue.

 

change the line below

<packetSize="21000" maxHttpHeaderSize="65536"> in APACHE TOMCAT server.xml file.

 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\

MaxFieldLength
Value - 65534 (64kb) bytes

 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\

MaxRequestBytes

 

System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Value Name: EnableMaxTokenSize =0

Value name: MaxTokenSize
Value data: 65535

 

Please let me know if it works for you.

 

Note; If user has admin rights then it will pop up kerberos password window(TC10.17.1). It's kind of bug which is resolved in TC11.4.*

Re: Kerberos SSO RAC with registry key AllowTGTSessionKey

Valued Contributor
Valued Contributor

Hello Randy,

 

is you problem solved wih given solution ?

 

Thank you