ITS LANNOS
LNGS Home
U-M Windows Home
U-M Forest
Security
ITCS Services
How To
FAQ
Development
Help
Internal
change UMROOT password

Last Updated: October 22, 2009

Configuring a Windows 2000, or XP workstation for pass-thru logon

For a Windows 2000 or XP workstation to support pass-thru logons to the UMICH.EDU Kerberos realm, several different conditions must be met:

  1. The workstation must be a member of a domain in either the U-M production or test forests (an exception to this is simple file share access). This involves "joining" the computer to a Windows domain, a task typically accomplished by a local Windows administrator.

  2. Certain registry values must be set so that the "UMICH.EDU (Kerberos Realm)" will appear on the "Log on to:" drop-down menu during the Windows 2000 user logon. To simplify the setting of these values, and to offer a Kerberos ticket viewing utility, we have created an easily installable application.

    A 'reg' file is available to update the appropriate registry values. Copy this file to your workstation and double click it to install.

    http://www.umich.edu/~lannos/windows/export/umksetup.reg

  3. Windows XP and member of Active Directory :

    Microsoft made a change to XP to speed up logons which makes pass-thru authentication fail intermittently. You will need to change this back to Windows 2000 behavior. "Enable" the following setting in Group Policy for the OU where your XP workstations will receive the policy:

    Computer Configuration|Administrative Templates|System|Logon|Always wait for the network at computer startup and logon

  4. Windows 2000 Only:

    The Windows 2000 workstation must be updated to (at least) the Service Pack 2 (SP2) maintenance level. If your administrator has not applied SP2, you can apply it yourself by visiting the Microsoft Windows Update web site. Click "Start:, then "Windows Update" to get to the web site.

Important Note:

If the DNS suffix of your Windows workstation is different from the Active Directory domain name of the computer, you must set the "Primary DNS suffix" to match the Active Directory domain name. To change the "Primary dns suffix":

  1. right click "My Computer"
  2. choose "Properties" from the drop-down menu
  3. click the "Network Identification" tab
  4. highlight the "Domain", and copy it into your buffer
  5. click the "Properties" button
  6. click the "More" button
  7. paste the domain name into the "Primary DNS suffix of this computer" field
  8. You willl be prompted to reboot your computer.

Problems with pass-thru logons should be reported to W2kSupport@umich.edu.