It would be really great if anyone can guide me with below issue?
I am facing some strang issue with SSO Kerberos Authentication. Some of our Teamcenter users are using Windows 10, I have configured SSO Kerberos successfully but setting registry value allowtgtsessionkey=1 to path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters is not working as expected. It's showing attached error message.
If I don't set allowtgtsessionkey OR value=0 then it ask for the "Kerberos Password" , after entering password it successfully launch Teamcenter (10.1.7.1). But if user restarts the PC kerberos ticket get expire and it again ask for "Kerberos Password". On Windows7 allowtgtsessionkey=1 working all fine, it doesn't ask for "Kerberos Password".
SSO URL http://<hostname: port>/LS/tccs/weblogin/home working all fine. It shows in authentication log "user is successfully Authenticated and authorized "
We are not using Windows Credential Guard on any PC OR in any domain.
Attacched is TCCS logfile.
Solved! Go to Solution.
Root Cause:- If the Teamcenter user is member of many Active Directory groups then TOMCAT and IIS is not able to handle the kerberos ticket size.
Solution:- Add the below registry entries on server.
Value - 65534 (64kb) bytes
Value Name: EnableMaxTokenSize =0
Value name: MaxTokenSize
Value data: 65535
Also define the <packetSize="21000" maxHttpHeaderSize="65536"> in APACHE TOMCAT server.xml file.