Have this issue after rollout to JRE 7. Try the following:
Initial testing shows this fixes the issue. However, still need to examine potential security impact.
As noted below, this should not be a string, but a DWORD.
It doesn't work for me :-(
The only thing who work, is to check "Do not require Kerberos preauthentication" in Active Directory user account. But I don't want to check this option for all my users !
Now it works !!!
The key (allowtgtsessionkey) must be a REG_DWORD and not a REG_SZ !
Thank you very much William_D :-)
I had this same issue. My fix was to create a custom jass config file that specific to not use the local tgt cache.
If you would like I could provide you with this setup. 1.7 uses GSS/SPNEGO as the first method of auth, this will essentially disable this method of single-sign on.
It looks like you got a fix so this post could be worthless
In fact we encounter the same issue in our environment, and somehow changing the Kerberos PreAuth setting did not resolve the issue. As I am not a Java expert, can you give more details on where and how to setup the 'HTTP Authentication' setting which you have mentioned earlier. Can you provide a sample of custom JSS Config File which you have mentioned for me to use in my environment? Where should I put the JSS config file? Your assistance on this is truly appreciated.
Thanks and best regards,
Can you kindly verify what is the DWORD value which you have set for the registry key (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\allowtgtsessionkey) which resolve your issue?
Is it 0 or 1? I have tried to use different values (0 and 1) on different users, but the Java/Windows lockout issue still remains.
Thansk and regards,
Another workaround I have found is to open c:\Program Files (x86)\Java\jre7\lib\security\java.security and comment in line 88:
Obviously, there is no jass config file yet so I don't understand why when no jass.config file is found that this works around the problem.