3.6. Obtaining AFS Tokens as a Integrated Part of Windows Logon

OpenAFS for Windows installs a WinLogon Network Provider to provide Single Sign-On functionality (aka Integrated Logon.) Integrated Logon can be used to obtain AFS tokens when the Windows username and password match the username and password associated with the default cell's Kerberos realm. For example, if the Windows username is "jaltman" and the default cell is "your-file-system.com", then Integrated Logon can be successfully used if the windows password matches the password assigned to the Kerberos principal "jaltman@YOUR-FILE-SYSTEM.COM". The realm "YOUR-FILE-SYSTEM.COM" is obtained by performing a domain name to realm mapping on the hostname of one of the cell's Volume Database servers.

Integrated Logon is required if roaming user profiles are stored within the AFS file system. OpenAFS does not provide tools for synchronizing the Windows and Kerberos user accounts and passwords. Integrated Logon can be enabled or disabled via the LogonOptions registry value.

When KFW is configured, Integrated Logon will use it to obtain tokens. Use of KFW for Integrated Logon can be disabled via the EnableKFW registry value.

Integrated Logon will not transfer Kerberos v5 tickets into the user's logon session credential cache. This is no longer possible on Vista and Windows 7.

Integrated Logon does not have the ability to cache the user's username and password for the purpose of obtaining tokens if the Kerberos KDC is inaccessible at logon time.

Integrated Logon supports the ability to obtain tokens for multiple cells. For further information on how to configure this feature, read about the TheseCells value.