Showing results for 
Search instead for 
Did you mean: 

Single Sing On allowtgtsessionkey=1 not working

Valued Contributor
Valued Contributor

Hello Experts,

It would be really great if anyone can guide me with below issue?

I am facing some strang issue with SSO Kerberos Authentication. Some of our Teamcenter users are using Windows 10, I have configured SSO Kerberos successfully but setting registry value allowtgtsessionkey=1 to path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters  is not working as expected. It's showing attached error message.





If I don't set allowtgtsessionkey OR value=0 then it ask for the "Kerberos Password" , after entering password it successfully launch Teamcenter ( But if user restarts the PC kerberos ticket get expire and it again ask for "Kerberos Password". On Windows7 allowtgtsessionkey=1 working all fine, it doesn't ask for "Kerberos Password".


SSO URL http://<hostname: port>/LS/tccs/weblogin/home working all fine. It shows in authentication log "user is successfully Authenticated and authorized "


We are not using Windows Credential Guard on any PC OR in any domain.


Attacched is TCCS logfile.


Thank you 




Re: Single Sing On allowtgtsessionkey=1 not working

Valued Contributor
Valued Contributor

Issue resolved.

Root Cause:- If the Teamcenter user is member of many Active Directory groups then TOMCAT and IIS is not able to handle the kerberos ticket size.


Solution:- Add the below registry entries on server.



Value - 65534 (64kb) bytes






Value Name: EnableMaxTokenSize =0

Value name: MaxTokenSize
Value data: 65535


Also define the <packetSize="21000" maxHttpHeaderSize="65536"> in APACHE TOMCAT server.xml file.