Windows at the University of Michigan

LNGS Home
U-M Windows Home
U-M Forest
Security
ITCS Services
How To
FAQ
Development
Help
Internal

Last Updated: October 22, 2009

Configuring a Vista workstation for Kerberos pass-thru logon

For a Vista workstation to support pass-thru logons to the UMICH.EDU Kerberos realm, several different conditions must be met:

The Vista workstation must be a member of a domain in either the U-M production or test forests (an exception to this is simple file share access). This involves "joining" the computer to a Windows domain, a task typically accomplished by a local Windows administrator.
The Vista workstation must be configured for pass-thru authentication to the UMICH.EDU Kerberos realm. For Windows Vista, this task can be accomplished in one of two ways:
- The best choice for many U-M organizational units will be to apply several Active Directory Group Policy settings. These settings have been collected into a Group Policy Object (GPO) in the UMROOT domain, which is named "UMROOT Vista Kerberos Pass-thru". A UMROOT Windows administrator can link to this GPO to configure Vista workstations for Kerberos pass-thru authentication. The settings of the "UMROOT Vista Kerberos Pass-thru" are described in this GPO snapshot:
  UMROOT Vista Kerberos Pass-thru GPO
- The Vista registry settings that are configured by the "UMROOT Vista Kerberos Pass-thru" GPO can be applied to the Vista workstation by a "reg" file. This choice may be appropriate for individual Vista workstations, or for Vista provisioning scenarios. The following "reg" file contains settings to configure a Vista workstation for pass-thru authentication in the UMROOT domain. Note that the pass-though registry settings for Vista differ from those for Windows 2000 and XP. Although the registry settings for XP will still "work" for Vista, using the Vista specific settings is recommended because they contain two additional GPO policy settings that are not present in XP, and are also compatible with Vista Group Policy. Copy this file to your workstation and double click it to install.
  http://www.umich.edu/~lannos/windows/export/vista-umksetup.reg
Windows Vista logon behavior (optional):
If Vista behaves like XP, pass-thru logons may fail intermittently due to timing considurations. At this time we have not had sufficient experience with Vista to determine if this will still be a problem. If you do experience problems running Kerberos pass-thru authentication on Vista, apply the following Group Policy setting:

Computer Configuration|Administrative Templates|System|Logon|Always wait for the network at computer startup and logon
Important Note:
If the DNS suffix of your Windows workstation is different from the Active Directory domain name of the computer, you must set the "Primary DNS suffix" to match the Active Directory domain name. To change the "Primary dns suffix":
1. right click "My Computer"
2. choose "Properties" from the drop-down menu
3. click the "Network Identification" tab
4. highlight the "Domain", and copy it into your buffer
5. click the "Properties" button
6. click the "More" button
7. paste the domain name into the "Primary DNS suffix of this computer" field
8. You willl be prompted to reboot your computer.

Problems with pass-thru logons should be reported to W2kSupport@umich.edu.

Information and Technology Services

Contact ITS | U-M IT Resources | Wolverine Access | University of Michigan