Current Version: OpenAFS 1.2.11
Client available from: http://www.unc.edu/atn/dci/install/win/download/
The following is a list of the most frequently asked questions regarding the OpenAFS client on Windows 2000/XP/NT. Please direct comments, suggestions, or questions not included here to firstname.lastname@example.org.
ATN has discontinued support for the older version, IBM/Transarc AFS 3.6. The newer version, OpenAFS, has proved to be more functional and generally easier to support. If you have a problem with the IBM/Transarc version (see below for how to determine your version) we recommend uninstalling, rebooting, and installing the new version, OpenAFS.
Some sections of this document assume you have read and attempted to perform the steps in the ATN documentation for the AFS client, and have some basic familiarity with AFS:
Introduction to AFS: http://help.unc.edu/?id=215
Installing the AFS Client on Windows: http://help.unc.edu/?id=134
General help on supported versions of the AFS client can always be obtained from the ATN IT Response Center (ITRC):
email@example.com or 962-HELP
NOTE: A high percentage of AFS-related problems stem from the absence of a token. If you experience a problem, re-authenticate with the AFS Authentication applet (the padlock icon in the system tray) and attempt the failed operation again. Re-authenticating solves many common issues.
The AFS client for Windows requires an Intel-based PC running one of the following operating systems, with TCP/IP networking capabilities, the Client for Microsoft Networks, NetBIOS-over-TCP (NetBT) enabled, and correctly-configured DNS:
Microsoft Windows 2000
Windows XP Professional
Microsoft Windows NT 4.0, Service Pack 6 or higher
Currently, there is no supported, native client for non-UNIX operating systems other than Windows XP/2000/NT4. ATN does not support the AFS gateway feature that gives Win9x clients (by proxy) access to AFS space. This solution requires a higher level of support and will not scale to the needs of our campus environment, and is, therefore, unsupported.
Q: What versions of the AFS Client for Windows are supported at UNC Chapel Hill?
A: The current supported version of OpenAFS is 1.2.11, however, due to incompatibilities with Windows XP Service Pack 2 (SP2) a newer/compatible version (OpenAFS 1.3.70) is being evaluated.
The current AFS client standard for Windows is based on OpenAFS instead of the IBM/Transarc version that we’ve used for years. The reason for the shift to open source software is because IBM does not offer a client compatible with Windows XP Professional, and also so that we could maintain the code internally, allowing us to address bugs or other issues much more rapidly.
Q: Where can I obtain the most recent version of the AFS Client for Windows?
A: Documentation on obtaining, installing and configuring the client is available here:
The installer is available for download from the following location:
Q: I am running Windows XP with Service Pack 2 (SP2) installed. I sometimes experience hangs when logging in after I start the system. Also, if I don’t access an AFS-mounted drive for a long period of time, I am then unable to open files on that drive.
A: At this time a new, Windows XP SP2 release of the OpenAFS Client is being evaluated for release. There are known issues with this OS and the current UNC release of OpenAFS (1.2.11). Until this new release is available, there are a couple work-arounds for the hang-on-logon symptom. After switching on your system, wait approx 20 seconds (varies with system) before entering your credentials and attempting the logon. When the system shows the hanging behavior, press ctrl-alt-delete to resume the normal login sequence (this will prevent integrated login from succeeding, however)
The other symptom, inability to access files after long periods of inactivity, is related to the Windows Firewall, a new feature added in SP2. When you install Windows XP SP 2, the Windows Firewall is enabled by default. For releases of OpenAFS prior to 1.3.70, the default Windows Firewall settings will interfere with operations of the AFS client. To configure the Windows Firewall for older versions of AFS:
1. On the computer running Windows XP w/SP2, in the Control Panel open Windows Firewall
2. On the Exceptions tab click
3. Enter these values:
a. Name: AFS callback
b. Port Number: 7001
4. Click Ok and close.
Q: I am trying to upgrade to the latest OpenAFS client; I uninstalled the older version on my system (per the instructions), but the installer for the newer version fails with ‘error 1608: Unable to create InstallDriver instance’ before completing.
A: The most likely cause is of this symptom is related to a bug in some recent versions of the OpenAFS client installer. The underlying cause relates to a file ‘ISScript.msi’. The solution to this problem is best addressed with the aid of the
ATN IT Response Center (ITRC):
firstname.lastname@example.org or 962-HELP
The procedure is as follows:
- Launch the utility. Note there is a single window with a list of installed programs.
- Highlight *only* the entry named “ISScript” and click the “Remove” button.
- Retry the OpenAFS client installer.
- Uninstall the Windows Installer Clean-up utility
Q: I've had AFS installed for a long time and just decided to start using it, but the AFS service won't start.Why?
A: If all other applications work fine but you're having difficulty getting AFS to start after either never having used it or after not using it for some time, it is possible that your C: drive is almost full. AFS claims 64MB of disk space for its cache when it starts. The cache, be default, is located on the same partition as Windows. If insufficient disk space exists, the cache file cannot get created and AFS won't start. You can remedy this by moving the cache location to another partition with more space via the AFS Client Configuration control panel, or by clearing some disk space on your system drive. Often, the quickest way to clear disk space on C: is to move the virtual memory file over to another partition.
Q: When I change my IP address, change network adapters (from cabled to wireless, for example), or disconnect from the network with AFS running, the afsd_service.exe process starts using 99% of the computer's processor. Why?
A: A bug in AFS Version 3.6, build 2.5 makes the AFS service use 99% of the computer's processor when a network disconnect is detected. The problem is usually seen on laptop computers running older versions of AFS since desktop computers usually stay connected to the network. To fix this issue, install the current version of OpenAFS.
Q: Does the AFS Client for Windows work with Windows XP Pro?
A: Yes. The previous version (IBM AFS Client for Windows) was not supported by IBM/Transarc or ATN. Now that we have switched to OpenAFS, the AFS software works with XP Pro, 2000 and NT 4.0.
Q: When I try to install AFS, the installer fails with the error code: 'Error 1607: Unable to install InstallShield Scripting Runtime'. What's going on?
A: This is a general error that could indicate one of the following:
1. The installer can't write temporary files. Right click the 'My Documents' folder on the desktop (or in the Start menu) and get Properties on it. Make sure the path shown for 'Target folder location' exists and is writeable. (For those of you that are more technical, the corresponding registry location is HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal. If you need to alter this path to an appropriate value, you must reboot your system and start the AFS installer again.
2. You may need a more recent version of isscript.msi (the installer "engine"). You can do so here:
Q: During installation of OpenAFS on my Windows NT 4.0 system, it warns that I should have Service Pack 6 installed. Where can I get Service Pack 6 for Windows NT 4.0?
Q: I enabled the Integrated Login feature, but now it takes a long time to log into Windows, and I don't get AFS tokens. Why?
A: The Integrated Login feature only works if the AFS Client service is set to start automatically. By default, the service is not set to automatically start during installation because I high percentage of our clients use laptops. Since it's not possible to get tokens with the service stopped, integrated login fails. For integrated login to work, your login and password must be the same as your Onyen, and the service must be set to start automatically. This can be done with the AFS Authentication applet (Start -> Programs -> OpenAFS -> Client -> Authentication) or in the Services control panel.
Q: Remote Access: Does the AFS client work over a Point-to-Point (PPP) connection (Mindspring, AOL, etc.), Digital Subscriber Line (DSL), or cable modem?
A: Because of the wide variety of hardware and software firewall products, ATN does not support the AFS Client for Windows when being used in a location other than the UNC campus network. This is not to say that it won't work, but only that it's impossible for ATN support staff to support all combinations of hardware, software and ISP configurations.
The current AFS Client does technically function over a PPP (dialup) or higher bandwidth connection. The limited bandwidth of a dialup PPP connection means that performance will be much lower than what you experience on the campus network.
DSL and cable modems have been tested and may technically work in your configuration. However, problems may arise related to a particular service provider, such as a particularly restrictive network firewall.
Additionally, if you are using a home hardware or software security product (firewall), you may experience connectivity problems. The AFS Client for Windows requires communications over ports 750 and 7001 (UDP), which may be blocked by default by your firewall product.
Q: Does the AFS Client for Windows work with a wireless network card?
A: Yes. It should be noted that users swapping between multiple network cards may experience problems if they have applications open and access files in AFS during the switch. We suggest closing any applications that are accessing AFS and saving data before performing a card switch. Restarting the AFS Client with the Authentication applet or Services control panel is usually necessary in these cases.
Q: Will the AFS client work if I am using the Dynamic Host Configuration Protocol (DHCP) to obtain my IP address?
A: Yes, and this is the preferred method. If you are changing your network card's TCP/IP properties from a static configuration to DHCP, make sure the Default Gateway field is blank. If the Default Gateway field in the TCP/IP Properties dialog box has a value, it will override the DHCP setting.
Q: The AFS Client won't start, or tokens can't be obtained, although the client appears to have started?
A: The AFS Client service may fail to start for several reasons. Each is explained in detail below.
1. Client for Microsoft Networks not installed
The Client for Microsoft Networks must be installed for the AFS client to function. You can verify whether or not the Client for Microsoft Networks is installed by doing one of the following:
Windows NT 4.0: go to Control Panels, Network and look in the Services tab
Windows 2000/XP: go to Network Connections and get Properties on the active network adapter
If it is not installed, you can install it (given that you have administrative rights on the machine) by clicking Add or Install, depending on the operating system you’re running.
2. Clock skew
The AFS client uses a network authentication protocol called Kerberos. A Kerberos server issues "tickets" that are then used to grant authorization to various resources, including email and the AFS filesystem itself.
The tickets issued by Kerberos expire after a certain interval, usually 25 hours.
Therefore, the clock of your computer must be synchronized with the AFS servers themselves so that they can obtain valid tickets.
SocketWatch, a fully-supported time synchronization utility licensed by UNC Chapel Hill, can assist with time synchronization on Windows platforms, and is available here:
Clock skew problems can manifest themselves in ways that are not obviously clock skew (that is, the error message may not tell you that it's clock skew causing your problem). ATN recommends always checking for clock skew first as you begin troubleshooting.
3. Incorrect database server entries
The hostnames or addresses of the AFS database servers (required for communication with the AFS filesystem) may be set incorrectly, or not set at all.
The installation routine should set these values correctly during installation. If this did not occur for some reason, such as being unable to execute vbscript, you may have to manually install the file containing the proper entries. To resolve a problem with incorrect database server entries, replace the afsdcell.ini in the C:\WINNT directory with the latest version, which can be FTP'ed form the following location:
You can also configure the cell manually in the AFS Client Configuration control panel, although we recommend obtaining the latest afsdcell.ini file, as described above. For the isis.unc.edu AFS cell, the hostnames required for the client configuration are:
The AFS Client for Windows can automatically look up the IP addresses associated with these hostnames. You should never enter a static IP address in these fields; if you do so, and the IP addresses of the database servers change, the client will fail to start again.
4. Insufficient administrative privilege to start services
If you do not have the rights on your Windows machine to start and stop Windows Services, and the client was initially installed not to start automatically, you may not have the rights to start the client. In this case, your departmental computer administrator would need to modify the startup parameters for you so that the IBM AFS Client service starts automatically, or give you rights to do so yourself.
5. Insufficient filesystem rights to create the AFSCache file.
The first time the AFS Client is started, a file called AFSCache is created in one of the two following locations by default:
C:\WINNT\AFSCache (Windows 2000 and NT 4.0)
C:\WINDOWS\AFSCache (Windows XP Professional)
If the SYSTEM entity does not have the "Write" privilege in these locations, the AFS service will be unable to create the cache file, and the service will fail to start. The AFSCache file is required for the AFS Client to operate. If your client is failing to start and no AFSCache file exists, make sure the SYSTEM user has "write" rights to C:\ or C:\WINNT.
6. Non-matching machine and DNS names (Windows NT 4.0 only)
Ensure that the NetBIOS name (also known as the machine name, or Computer Name in the Identification tab of the Network control panel) matches the DNS name ("Hostname" in the DNS tab of the TCP/IP Properties dialog box). These values must be identical for the client to work. Case is unimportant for the NetBIOS name.
NOTE: It is NOT essential that the DNS name of the machine be officially registered with UNC's domain name servers (email@example.com) for the AFS client to work, although registration is recommended. This solution only applies to Windows NT 4.0; Windows 2000 is not affected.
7. A duplicate NetBIOS name exists on the network.
NetBIOS names must be unique for Windows Networking, upon which the AFS client depends, to properly function. A duplicate NetBIOS name may generate the following entry in the computer's event log:
The description for Event ID ( 5464 ) in Source ( AFS Client) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: Error at file smb.c, line 5464: Failed to add our server name 'MACHINENAME-AFS' to any lan adapters."
Normal NetBIOS names can be 15 characters long; additional characters are ignored. For instance, the names LAB_MACHINE_1000 and LAB_MACHINE_1001 would conflict.
The AFS Client places an additional restriction on this already limited nomenclature in that it appends the string "-AFS" to the NetBIOS name of the machine. Therefore, machines using AFS must have unique names of no more than 11 characters.
For example, if we have two machines with names of 15 characters each that would otherwise be unique (for instance, LAB_MACHINE_001 and LAB_MACHINE_002), installing the AFS client on each machine will create a NetBIOS name for AFS access by truncating the last four letters: LAB_MACHINE-AFS. Since this name will be present on both machines, the second machine's AFS Client will fail to start since the name will not be unique.
Q: I'm using the AFS client on a laptop, and it seems to have problems after suspending or hibernating. What is the problem?
A: Unfortunately, the current implementation of the AFS Client software for Windows does not support suspend or hibernate modes of operation. This is because constant communication between the AFS client software and the AFS servers is required for proper operation, and suspending or hibernating your laptop breaks the communication, which then must be reestablished by restarting the service. You must close any open files residing in AFS space and manually stop the AFS service before suspending or hibernating your laptop to avoid the possibility of data loss.
Q: The AFS Client is working, but it seems slow at times. What could be the problem?
A: Aside from occasional network or file server glitches, the most likely cause of this problem is an exceptionally lengthy PATH variable. Any time you issue a command in Windows, it traverses the PATH to look for the command you issued. If you have installed applications that append to the path, you could see AFS Client latency as it attempts to locate the program you have requested. It is important to have the PATH to the AFS Client binaries ahead of the PATH entries for AFS applications. NOTE: modifying the PATH incorrectly can cause serious system problems. Be sure you understand the implications of modifying the PATH variable before doing so. Contact the ITRC at firstname.lastname@example.org or 962-HELP if you have questions about how to correctly set your PATH variable.
Q: The AFS Client Configuration control panel is slow to open, or doesn't open at all. What could be the problem?
A: This problem is also indicative of the PATH entries for the AFS Client being placed too far down the PATH. See the discussion in the previous question for a solution.
Q: Can I use the AFS Client with Windows XP/2000's Offline Files & Folders feature?
A: No. We have seen consistent problems with the AFS Client software when used in conjunction with Micrsoft's Offline Files & Folders feature. It is recommended that you do not use this feature to cache files located in AFS for offline use.
Q: None of the recommended solutions fixes my problem. What can I do?
A: Prior to contacting the ITRC for assistance, you may want to try a clean reinstallation of the AFS Client, especially if the failure occurred following an upgrade of the Client. To completely remove the AFS Client in preparation for a clean reinstallation, follow this procedure:
1. Perform the uninstallation routine using the Add/Remove Programs control panel.
2. Using the Regedit utility, completely remove the following registry keys and all subkeys. Only perform this operation if you are comfortable modifying the registry as errors could render your system unusable:
3. Delete the directory tree containing the AFS Client installation. In version 1.2.300 or later, the default installation location is: C:\Program Files\OpenAFS
4. If present, delete the following files
C:\AFSCache or C:\WINNT\AFSCache
If, following a clean reinstallation, the client still fails to start, contact the ITRC at email@example.com or 962-HELP.
Q: How do I uninstall the AFS Client?
A: See question above.
Q: I noticed that the following ACL (access control list) entry exists on my home directory. Why?
A: An "l" access control list entry on a directory allows the associated group to list, but not read, the files in that directory. This is the default on the isis.unc.edu cell, and is desirable for several reasons, among them being that in order to map a network drive to an AFS directory under Windows, the "l" ACL entry must be present on that directory.
A subdirectory called "private", which is readable only by the owner of the directory, is automatically created for each user. We suggest using this directory to store sensitive data.
Q: I would like to use the AFS client in a "kiosk" configuration. Is it possible to set up my machine so that any AFS user can log in and access their home directory without actually creating those users via the Windows Computer Management utility?
A: The DCI group has compiled a customized GINA (Graphical Identification and Network Authorization) module specifically for this purpose.
This module replaces the standard Windows logon DLL (Dynamically Linked Library), msgina.dll. This is equivalent to replacing the standard Windows logon screen.
If you would like assistance determining whether the customized UNC GINA would fit your needs, or if you are interested in using the GINA, please contact the DCI group at firstname.lastname@example.org.
Q: When a user logs into one machine in my Windows domain, AFS drive mappings work, but when they log into a different machine in the same domain, the drive mappings fail. Why?
A: Windows network drive mappings are usually set by a logon script from a domain controller and therefore follow the user from machine to machine within a given domain. AFS drive mappings, however, are always referenced by a UNC (universal naming convention) path in the following form: \\machine_name-afs\sharename. An example of this is \\snoopy-afs\home. You can view your current drive mappings via the following command, issued from a Command Prompt:
C:\> net use
You should see output similar to the following:
New connections will be remembered.
Status Local Remote Network
OK H: \\SNOOPY-AFS\home Microsoft Windows Network
OK J: \\SNOOPY-AFS\all Microsoft Windows Network
The command completed successfully.
It should be obvious that these drive mappings will work if the user logs into the machine called snoopy.
These AFS drive mappings, however, can not be exported to other machines in the way that Windows drives can be because they are dependent on the name of the individual machine.
In a domain situation, it is best to use login scripts with variables rather than allowing individual users to determine their own drive mappings. This will help increase consistency and reliability of the drive mappings across various users and machines. The following command illustrates the point:
C:\> net use j: \\%computername%-afs\all
This statement in a login script will work because each individual computer that executes this statement will resolve the variable "%computername%" to the name of their own machine.
Q: What applications are available to Windows XP, Windows 2000 and Windows NT 4.0 users out of AFS space?
A: Check the following web page for a listing of applications that a user may be able to use out of AFS space if they have the AFS Client installed and are appropriately licensed:
Each package listed is a link to a page with a brief description of the software. The user will also find additional information such as any specific instructions on how to set up their local machine to run the application out of AFS space.
Q: Some drive mappings work on a Windows XP/2000 machine but not on a Windows NT 4.0 machine. Why?
A: Windows 2000 includes much improved networking and filesystem capabilities. Among these is the ability to map a drive letter to a subdirectory of a network share, instead of just being able to map to the share itself. For instance, if I have a network share of this name:
with these subdirectories:
it will then be possible for me to map a drive to a subdirectory of this share on a Windows 2000 machine using the standard "Map Network Drive" utility or with "net use" from a Command Prompt as follows:
C:\> net use z: \\SNOOPY-AFS\home\public_html
This command will, however, fail on Windows NT 4.0 since NT can only map to the share name itself (\\SNOOPY-AFS\home in this case).
Q: Users do not receive a token when they log in even though integrated login is configured. Why?
A: The AFS Client depends on the presence of network services. When Windows XP/2000/NT presents the login window, contrary to popular belief, it is NOT an indication that network services have started. In fact, this problem is compounded somewhat since Windows 2000 and later suppress most boot up errors whereas Windows NT 4.0 used to give an error before login stating that some services had failed to start.
The most common reason why integrated login fails is because the AFS Client service is not set to start automatically. Even when the "Obtain AFS tokens when logging into Windows" checkbox in the AFS Client Configuration control panel is checked, integrated login will still fail if the IBM AFS service is not set to start automatically. To make sure the service is set to start automatically, click the "Start the AFS Client Service whenever this computer restarts" checkbox on the Advanced tab of the AFS Client dialog (accessed via the Authentication applet in the IBM AFS Program group, or by double-clicking the padlock icon in the system tray).
Additionally, ensure that the user's Windows login name and password are synchronized (match exactly) their AFS login name (Onyen) and password. This is a requirement for integrated login to work.
Q: How can I map a drive "globally" for all users, or map a drive that exists even when no one is logged on?
A: Currently, this feature of the OpenAFS client does not work properly.
Q: Is there anything AFS shouldn't be used for?
A: AFS does not support particular types of file locking on UNIX or Windows XP/2000/NT. This means that if you are conducting collaborative work, certain applications, including Microsoft Office applications, will encounter file contention problems. In essence, the last person to save the file will "win," overwriting any other changes that might have been made. For certain applications, including Microsoft Access, this can destroy data.
Under no circumstances do we recommend storing active databases in AFS, unless assurances can be made that only a single process will be updating the database an any given time.
Additionally, using a network drive for performance-intensive applications tends to reduce performance. Applications involving extended periods of intense disk usage such as audio/video editing are not the ideal use of AFS.
Q: Does the AFS client for Windows XP/2000/NT recognize UNIX-style symbolic links?
A: Windows applications do NOT correctly recognize UNIX symbolic links. This can have disastrous consequences. For instance, in UNIX, if you delete a symbolic link, the default behavior is to delete only the link and not the file it refers to. Under Windows, however, the symbolic link is regarded as a normal file, so deleting the link will actually delete the file/folder itself! We advise caution.
Under the latest version of the AFS client this situation is prevented from within the Client. A user is unable to delete a UNIX symbolic link. Instead, a tool, symlink.exe, is provided for generating and safely deleting UNIX symbolic links from a Windows command prompt.
Q: Can you explain AFS caching in more detail?
A: The AFS cache is the mechanism by which files on remote servers are copied to the local hard drive in order to improve performance. When a file in AFS space is referenced, a copy of that file is placed in the cache on the local hard drive and the AFS file servers make a note of who has the file and when it was checked out. The cache is in one of the following locations by default:
AFS Version Cache Location
1.2.300 C:\WINNT\AFSCache (Windows 2000 and NT 4.0)
C:\WINDOWS\AFSCache (Windows XP Professional)
This file remains in the cache until the file is closed and it is copied back to AFS space, or until a "callback" occurs and the local copy of the file is expired and a new version is retrieved and placed in the cache. NOTE: If you are actively editing a file in AFS space, the version you are editing will not be replaced by a callback.
As you are working with a file, operations such as reading and writing are happening solely on your local machine. This gives a great performance benefit over having to read or edit a file by sending calls over the network. Once the file is closed (after selecting File -> Close from within Microsoft Word, for example), the AFS software copies the file from your cache back to the AFS file server.
Why is this important? There are cases where problems can occur with the AFS cache. Running the AFS client software on a laptop computer presents specific challenges, all of which have not been resolved at this time. Specifically, files placed in the cache before the laptop is suspended, hibernated, or otherwise removed from the network while AFS is running seems to produce inconsistent results, occasionally resulting in data loss.
If you are using the AFS client on a laptop computer, ATN recommends performing a full shutdown after closing all files that live in AFS in order to avoid any data loss or other cache problem.
Q: What cache size is appropriate?
A: Appropriate cache size varies from application to application. In general, the default size of 20480 KB (approximately 20 MB) is too small for everyday use. For workstation use, a cache of approximately 60000KB (60MB) is suitable, and this is the default value for the DCI installer of the AFS Client. For heavy users of AFS, you may want to eventually increase this value.
Servers may require a larger cache; however, be aware that the performance benefits of a larger cache cease after the cache size is increased beyond a certain point. In general, this point falls somewhere between 256 and 512 MB.
Q: Changing the size of my cache fails. Why?
A: The AFS client requires enough contiguous free disk space to accommodate the chosen cache size. For instance, if you have 150 MB of free space and you desire a 130 MB cache, yet your disk is heavily fragmented, it is unlikely that the client will be able to find 130 MB of contiguous space.
Deleting files to increase free space and defragmenting the drive may help in these cases. Windows includes a defragmentation utility of its own; search Windows help for "defragment" for more information. Many third-party defragmentation utilities are also available at cost. The most popular of the third-party utilities is Diskeeper, from Executive Software (http://www.executive.com).
A: Open the AFS Client Authentication dialog from the following menu:
Start -> Program -> OpenAFS -> OpenAFS Authenticate
The upper right-hand corner of this window should display a version number.
From a command prompt, you can also type ‘rxdebug localhost 7001 –vers’ as such:
C:\> rxdebug localhost 7001 -vers
Trying 127.0.0.1 (port 7001):
AFS version: OpenAFS1.2.600+UNC
OpenAFS, the open-source version of the AFS filesystem
Maintained by the DCI group
Last revised 23 April 2004