Providing a session key to the IBM JRE to enable Kerberos/SPNEGO SSO in ELM

By default, Microsoft Windows restricts third-party applications from retrieving ticket-granting ticket (TGT) and session key pairs from the Kerberos security package. The IBM JRE that is included in ELM Eclipse clients is one such third-party application that is affected by this Windows restriction. ELM web clients are not affected. To remove this restriction, you must edit the Windows registry.


  1. Open the Windows registry editor, regedit.
  2. Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
  3. Create the allowtgtsessionkey key with the following attributes and values:
    • Data Type: REG_DWORD
    • Value: 1 (default is 0)
    Note: For some versions of Windows, the allowtgtsessionkey key must be created in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos. To avoid issues, it is best to create the key in both locations.
  4. Restart the client computer.


The allowtgtsessionkey key is added to the Windows registry and is set to allow the operating system to grant the client a TGT and session key pair.

video icon Video channel
Software Education channel

learn icon Courses

IoT Academy
Skills Gateway

ask icon Community forums library

support icon Support

IBM Support Community
Deployment wiki