Cancel
Showing results for 
Search instead for 
Did you mean: 

Single Sing On allowtgtsessionkey=1 not working

Creator
Creator

Hello Experts,

It would be really great if anyone can guide me with below issue?

I am facing some strang issue with SSO Kerberos Authentication. Some of our Teamcenter users are using Windows 10, I have configured SSO Kerberos successfully but setting registry value allowtgtsessionkey=1 to path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters  is not working as expected. It's showing attached error message.

 

allowtgtsessionkey=1.jpg

 

 

If I don't set allowtgtsessionkey OR value=0 then it ask for the "Kerberos Password" , after entering password it successfully launch Teamcenter (10.1.7.1). But if user restarts the PC kerberos ticket get expire and it again ask for "Kerberos Password". On Windows7 allowtgtsessionkey=1 working all fine, it doesn't ask for "Kerberos Password".

 

SSO URL http://<hostname: port>/LS/tccs/weblogin/home working all fine. It shows in authentication log "user is successfully Authenticated and authorized "

 

We are not using Windows Credential Guard on any PC OR in any domain.

 

Attacched is TCCS logfile.

 

Thank you 

 

 

1 REPLY

Re: Single Sing On allowtgtsessionkey=1 not working

Creator
Creator

Issue resolved.

Root Cause:- If the Teamcenter user is member of many Active Directory groups then TOMCAT and IIS is not able to handle the kerberos ticket size.

 

Solution:- Add the below registry entries on server.

 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\

MaxFieldLength
Value - 65534 (64kb) bytes

 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\

MaxRequestBytes

 

System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Value Name: EnableMaxTokenSize =0

Value name: MaxTokenSize
Value data: 65535

 

Also define the <packetSize="21000" maxHttpHeaderSize="65536"> in APACHE TOMCAT server.xml file.