OpenAFS for Windows installs a WinLogon Authentication Provider to provide Single Sign-On functionality (aka Integrated Logon.) Integrated Logon can be used to obtain AFS tokens when the Windows username and password match the username and password associated with the default cell's Kerberos realm. For example, if the Windows username is "jaltman" and the default cell is "your-file-system.com", then Integrated Logon can be successfully used if the windows password matches the password assigned to the Kerberos principal "jaltman@YOUR-FILE-SYSTEM.COM". The realm "YOUR-FILE-SYSTEM.COM" is obtained by performing a domain name to realm mapping on the hostname of one of the cell's Volume Database servers.
Integrated Logon is required if roaming user profiles are stored within the AFS file system. OpenAFS does not provide tools for synchronizing the Windows and Kerberos user accounts and passwords. Integrated Logon can be enabled or disabled via the LogonOptions registry value.
When Heimdal or KFW is installed, Integrated Logon will use it to obtain tokens using Kerberos v5. If you must use the deprecated kaserver for authentication instead of Kerberos v5, the use of KFW can be disabled via the EnableKFW registry value.
Integrated Logon will not transfer Kerberos v5 tickets into the user's logon session credential cache. This is no longer possible on Vista and Windows 7.
Integrated Logon does not have the ability to cache the username and password for the purpose of obtaining tokens if the Kerberos KDC is inaccessible at logon time.
Integrated Logon supports the ability to obtain tokens for multiple cells. For further information on how to configure this feature, read about the TheseCells registry value.
Depending on the configuration of the local machine, it is possible for logon authentication to complete with one of the following user account types:
Local Machine Account (LOCALHOST domain)
Domain or Forest Account
Domain or Forest Account NETBIOS-compatible name
Kerberos Principal mapped to a local or domain or forest account
For each "domain" context, the following properties are configurable:
Obtain AFS Tokens at Logon
Yes
No
Alternate Kerberos Realm Name - combined with the username to construct a Kerberos principal
TheseCells - A list of cell names other than the workstation cell for which tokens should be obtained
Fail Logons Silently
Yes
No
Logon Script to Execute
Logon Retry Interval
Logon Sleep between Failure Interval
Within a "domain" context it is often desireable to apply alternate rules for a particular user. The rules can include a username substitution.
Obtain AFS Tokens at Logon
Yes
No
Alternate User Name
Alternate Kerberos Realm Name - combined with the username to construct a Kerberos principal
TheseCells - A list of cell names other than the workstation cell for which tokens should be obtained
Fail Logons Silently
Yes
No
Logon Script to Execute
Logon Retry Interval
Logon Sleep between Failure Interval
The configuration hierarchy is specified in the registry under the HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain key. For example:
...\NetworkProvider\Domain\LOCALHOST\
...\NetworkProvider\Domain\LOCALHOST\Administrator\
...\NetworkProvider\Domain\AD\
...\NetworkProvider\Domain\AD.EXAMPLE.ORG\
From the perspective of configuration, the Full domain name and the NETBIOS-compatibility name are separate entities.