Active Directory - Configuring Windows for LOGIN.WISC.EDU Login
To configure a Windows workstation joined to the Campus Active Directory to authenticate a NetID, the LOGIN.WISC.EDU domain must be made available via a registry edit. Additionally, Windows 7 machines must have encryption types enabled for Kerberos authentication.
Adding the LOGIN.WISC.EDU Domain to the Registry
A group policy has been provided that can make the registry edit when applied to a computer. The group policy object is named AD-Add LOGIN.WISC.EDU Domain. If you are unsure how to work with group policies, please see Active Directory - Group Policy Management
Removal: Unlinking the "Add LOGIN.WISC.EDU Domain" GPO from an OU will remove the registry change from all computers within the OU.
Manually Adding Registry Key
If you prefer not to use an Active Directory group policy to make the necessary registry change in order to use the LOGIN.WISC.EDU domain, you can manually edit the registry. Warning: Incorrectly modifying the registry can cause serious errors, including rendering it inoperative! Please proceed with caution.
- Log in as an Administrator to the machine whose registry you want to modify.
- Open the Registry Editor by clicking Start, then Run..., and typing regedit.
- Optional: Backup a copy of the registry by clicking File > Export... and saving the backup to your disk.
- In the left pane, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains.
- Right-click the Domains key and select New > Key. A new key will appear under Domains.
- Name the new key LOGIN.WISC.EDU. The key should not have a value associated with it. Your registry entry should look like this:
- Exit the Registry Editor and restart your computer.
Enabling Encryption Types (Windows 7 Only)
Windows 7 includes changes to Kerberos authentication, which disables encryption types needed for Kerberos by default. A group policy has been created that will enable these encryption types on any Windows 7 machine. This is required in order for authentication requests against LOGIN.WISC.EDU to succeed.
Additional information about these changes can be found in the following Microsoft support document: The security principals and the services that use only DES encryption for Kerberos authentication are incompatible with the default settings on a computer that is running Windows 7 or Windows Server 2008 R2
The Group Policy Object is named AD-Enable Encryption Types for Kerberos (Windows 7 Only). If you are unsure how to work with group policies, please see Active Directory - Group Policy Management
Supply your username as: LOGIN.WISC.EDU\netid (where netid is your NetID). LOGIN.WISC.EDU must be in all capital letters.
Authenticating Other Services: When authenticating a NetID with a service hosted on another machine joined to the Campus AD, the machine must be specified with the fully-qualified domain name assigned to it by Campus AD. This will look like xxx.ad.wisc.edu or xxx.adtest.wisc.edu, where xxx is the machine name specified when joining. Additionally, the NetID must be supplied as LOGIN.WISC.EDU\netid where netid is the user's NetID.
Important: As of April 1st, 2016, xxx.qa.ad.wisc.edu will need to be used intead of xxx.adtest.wisc.edu.
Tip: You can use Active Directory group policy to modify the Windows login screen for computer lab use, including setting the default domain name, clearing last login, and setting a message to be displayed. For more information, view our Useful Group Policies for Computer Labs article in the Campus Active Directory Wiki.
Note: The screenshots pictured here are from Windows 7 and 10.