Problem: User can access a network share on a computer using Windows XP under the INS.CWRU.EDU domain, but can't access the same share under Windows Vista. Any attempt to do so pops up a windows credentials box.

Solution: Attempt to log the user directly onto the ADS domain under Windows XP. If you can't, then the passwords are not synched. Have the user change the password on the case web page and have them check the "synch ads password" box.

---

Problem: vbscript login scripts to map drives and printers don't work under windows Vista. Solution: This has to do with the improved security model in Vista. Solution is to run have the login script create a task to do what you want.

Problem: Task Scheduler does not function under ADS. "Incorrect username/password" in System Scheduler Log. It seems the scheduler is trying to authenticate against ADS accounts rather than Case Kerberos accounts. Note: can anybody verify this is still a problem? I don't see this. beh@case.edu Solution: Not known

---

Problem: Cannot access servers, computers, files/folder shares using VPN/wireless. Can access everything when directly wired.

Solution: Ensure the client's domain is set to cwru.edu not case.edu.

Change the Windows Firewall Settings on the machine functioning as the server. The following is NOT needed for the client (i.e. end-users). Make sure the File and Printer Sharing box is checked. Double click on File and Printer Sharing. Click Change Scope for each TCP port listed. Click Custom List, and type 129.22.0.0/255.255.0.0 in the custom box. Click Ok. (Repeat for each TCP port listed.)

---

Problem: Computer will not add to ADS, gives error that user name or password doesn't exist or is incorrrect, but you know the computer object has been created and the hostname/DNS name and computer name match, and your username and password are correct. Yet, the computer will not add to the ADS domain.

Solution:

1st, check to make sure the time, timezone, and date are all correct. If the client pc's clock is too far off from the campus kerberos server's clock you will not be able to join or authenticate to ADS. I do not believe the following solution is required for joining to the domain --beh@case.edu

If the computer is a Windows XP machine: 1. Log in to the machine using an account with local Administrator privileges. 2. Open the Local Security Policy MMC in the Administrative Tools program group. 3. Drill down to Local Policies -> Security Options. 4. Double-click the Network Security: LAN Manager Authentication Level setting. 5. Verify that Send NTLMv2 response only is selected. 6. Open a command prompt and issue policy refresh command as listed below:

         gpupdate 

If the computer is a Windows 2000 machine: 1. Log in to the machine using an account with local Administrator privileges. 2. Open the Local Security Policy console in the Administrative Tools program group. 3. Drill down to Local Policies -> Security Options. 4. Double-click the LAN Manager Authentication Level setting. 5. Verify that Send NTLMv2 response only is selected. 6. Open a command prompt and issue apppriate policy refresh command as listed below:

         secedit /refreshpolicy machine_policy

---

Problem: How to setup computers to access Novell servers (such as Pulitzer) using clientless access and ADS.

Solution: Both passwords (Case password and Novell password) must be the same for it to work within authenicating to the Novell server. Must add a group policy object to the OU or group that is setup for the Novell computer users. Create a new group policy object or add to the group policy object previously created. Add Computer Configuration --> Windows Settings --> Local Policies --> Security Options --> change the Network Security: LAN Manager authenication level, set to Send NTLM response only.

Then to access Pulitzer, you can go to run or set up a shortcut that uses, pulitzer_w.

---

Problem: Novell Netware -- INS.CWRU.EDU (Kerberos Realm) unavailable

Solution: To separate the Novell GINA from the Microsoft GINA:

Open the registry editor (Start->Run->regedit.exe). Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon section. Find the GinaDLL entry, right click it and choose Modify. Under the Value Data section, change NWGINA.DLL to MSGINA.DLL. Restart the machine. The Microsoft GINA will appear first, then the Netware GINA.

---

Problem: Unable to log into user account after joining ADS

Solution: Reset user password with necessary complexity (8 characters or more, upper and lower case, at least one number, and not similar to a previous passwords)

---

Problem: Windows XP clients keep receiving the message “"windows needs your current credentials".

Solution: In your group policy, turn on Computer Configuration ? Administrative Templates ? System ? Logon ? “Always wait for the network at computer startup and logon ”

---

Problem: Laptop users can not log in when not connected to the network.

Solution: Apply the Kerberos fix: Microsoft Hotfix KB825081. Note that this is part of Windows XP Service Pack 2. However, the "Always wait for the network at computer startup and logon" setting may be quite helpful for laptops and other devices which aren't always connected to the wired network.

---

Problem: ADS Users cannot properly authenticate/access file/printer shares on another ADS system.

Solution: Apply the Kerberos fix: Microsoft Hotfix KB825081. Note that this is part of Windows XP Service Pack 2.

---

Problem: XP System boots terribly slowly, hangs for minutes at "Applying Computer Settings". Event ID 1053 and 1054 by Userenv in Event Log.

Solution: Apply Microsoft Hotfix KB329457. Note that this is part of Windows XP Service Pack 2.

---

Problem: Slow boot time on XP System, but only when system is not connected to the wired Case network (i.e. connected to wire at home or wireless anywhere).

Solution: Do not connect to any wireless network or a non-Case wired network until the system is on and logged in. Turn wireless off prior to shutting the system down, and turn it back on only once you are logged in. If off-site, plug in a wired network only after the system is logged in. See note about "Always wait for the network at computer startup and logon." for how to reduce the lag time when not on the wire.

---

Problem: Macintosh and linux computers cannot access Windows file share on NAS using CIFS.

Solution: EMC does not support Mac clients. EMC does not support linux clients accessing NAS using CIFS. Testing shows that Mac OS X and linux clients can access using smbclient and Active Directory service accounts instead of kerberos accounts. Case users who synch their kerberos password to Active Directory can use their kerberos account.

---

Problem: Access to files on network shares is slow. Network drives show status of disconnected, will not reconnect, and cannot be deleted.

Solution: Ensure that all network shares and drives use the server Fully Qualified Domain Name not the server shortname. For complete details, see ADS Connecting to Network Shares.