Providing a session key to the IBM JRE to enable Kerberos/SPNEGO SSO in CLM

By default, Microsoft Windows restricts third-party applications from retrieving ticket-granting ticket (TGT) and session key pairs from the Kerberos security package. The IBM JRE that is included in CLM Eclipse clients is one such third-party application that is affected by this Windows restriction. CLM web clients are not affected. To remove this restriction, you must edit the Windows registry.

Procedure

  1. Open the Windows registry editor, regedit.
  2. Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
  3. Create the allowtgtsessionkey key with the following attributes and values:
    • Data Type: REG_DWORD
    • Value: 1 (default is 0)
    Note: For some versions of Windows, the allowtgtsessionkey key must be created in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos. To avoid issues, it is best to create the key in both locations.
  4. Restart the client computer.

Results

The allowtgtsessionkey key is added to the Windows registry and is set to allow the operating system to grant the client a TGT and session key pair.


video icon Video

Jazz.net channel
Software Education channel

learn icon Courses

IoT Academy
Skills Gateway

ask icon Community

Jazz.net
Jazz.net forums
Jazz.net library

support icon Support

IBM Support Community
Deployment wiki