SAP Netweaver AS Java SSO Module on Windows.
SAP SSO does not work when Microsoft's Time Redirection GP is enabled. (Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Device and Resource Redirection\Allow Time Redirection):
The security context of the current session has expired
However, SSH SSO to the SAP server works as expected. Cause:
Centrify's SAP SSO module relies on Microsoft's SSPI API (Security Support Provider Interface) to perform authentication. SSPI calls are used to confirm the validity of provided Kerberos ticket. The Microsoft library calls LocalFileTimetoFileTime to convert time to UTC and compare that with the time returned by call time. If the time zone difference happens to be more than 10 hours (Kerberos ticket lifetime), the above error is given. Resolution:
Since the problem is caused by API provided by Microsoft, please contact Microsoft and ask if they can provide a hotfix for this issue. Other than disabling this GP, there are no workaround to this problem since SAP SSO module relies on SSPI API to validate ticket time,