diff --git a/doc/txt/winnotes/afs-changes-since-1.2.txt b/doc/txt/winnotes/afs-changes-since-1.2.txt
index 17738ed8dd..a864e197bf 100644
--- a/doc/txt/winnotes/afs-changes-since-1.2.txt
+++ b/doc/txt/winnotes/afs-changes-since-1.2.txt
@@ -1,4 +1,9 @@
 Since 1.3.71:
+  * Fix bug in loading of registry value HKLM\SOFTWARE\OpenAFS\Client
+    "EnableKFW".  This value will not be read if the key
+    HKCU\SOFTWARE\OpenAFS\Client exists; even if the "EnableKFW" 
+    value under that key does not.
+
   * provide mechanisms to force the use of krb524d for Kerberos 5
     ticket to AFS token conversion.  For afslogon.dll and afscreds.exe
     there is a new registry value "Use524" and for aklog.exe a new
diff --git a/doc/txt/winnotes/afs-install-notes.txt b/doc/txt/winnotes/afs-install-notes.txt
index 9265625e53..28b8ebd37f 100644
--- a/doc/txt/winnotes/afs-install-notes.txt
+++ b/doc/txt/winnotes/afs-install-notes.txt
@@ -352,6 +352,34 @@ or fs.exe.  During installation this group is created and the current
 contents of the Administrators group is copied.
 
 
+26. Some organizations which have AFS cell names and Kerberos realm names
+which differ by more then just lower and upper case rely on a modification
+to krb524d which maps a Kerberos 5 ticket from realm FOO to a Kerberos 4
+ticket in realm BAR.  This allows user@FOO to appear to be user@bar for
+the purposes of accessing the AFS cell.  As of OpenAFS 1.2.8, support was
+added to allow the immediate use of Kerberos 5 tickets as AFS (2b) tokens.
+This is the first building block necessary to break away from the 
+limitations of Kerberos 4 with AFS.  By using Kerberos 5 directly we
+avoid the security holes inherent in Kerberos 4 cross-realm.  We also
+gain access to cryptographically stronger algorithms for authentication
+and encryption. 
+
+Another reason for using Kerberos 5 directly is because the krb524 service
+runs on a port (4444) which has become increasingly blocked by ISPs.  The
+port was used to spread a worm which attacked Microsoft Windows in the 
+summer of 2003.  When the port is blocked users find that they are unable
+to authenticate.
+
+Replacing the Kerberos 4 ticket with a Kerberos 5 ticket is a win in all
+situations except when the cell name does not match the realm name and
+the principal names placed into the ACLs are not the principal names from
+the Kerberos 5 ticket.  To support this transition, OpenAFS for Windows
+in 1.3.72 adds a new registry value to force the use of krb524d.  However,
+the availability of this option should only be used by individuals until
+such time as their organizations can provide a more permanent solution.
+
+
+
 ------------------------------------------------------------------------
 
 Reporting Bugs:
diff --git a/src/WINNT/afsd/afskfw.c b/src/WINNT/afsd/afskfw.c
index dce6739a56..823c60cf19 100644
--- a/src/WINNT/afsd/afskfw.c
+++ b/src/WINNT/afsd/afskfw.c
@@ -453,19 +453,25 @@ KFW_use_krb524(void)
 
     code = RegOpenKeyEx(HKEY_CURRENT_USER, OpenAFSConfigKeyName,
                          0, KEY_QUERY_VALUE, &parmKey);
-    if (code != ERROR_SUCCESS)
-        code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName,
-                             0, KEY_QUERY_VALUE, &parmKey);
     if (code == ERROR_SUCCESS) {
         len = sizeof(use524);
         code = RegQueryValueEx(parmKey, "Use524", NULL, NULL,
                                 (BYTE *) &use524, &len);
         if (code != ERROR_SUCCESS) {
-            use524 = 0;
+            RegCloseKey(parmKey);
+
+            code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName,
+                                 0, KEY_QUERY_VALUE, &parmKey);
+            if (code == ERROR_SUCCESS) {
+                len = sizeof(use524);
+                code = RegQueryValueEx(parmKey, "Use524", NULL, NULL,
+                                        (BYTE *) &use524, &len);
+                if (code != ERROR_SUCCESS)
+                    use524 = 0;
+            }
         }
         RegCloseKey (parmKey);
     }
-
     return use524;
 }
 
@@ -478,19 +484,25 @@ KFW_is_available(void)
 
     code = RegOpenKeyEx(HKEY_CURRENT_USER, OpenAFSConfigKeyName,
                          0, KEY_QUERY_VALUE, &parmKey);
-    if (code != ERROR_SUCCESS)
-        code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName,
-                             0, KEY_QUERY_VALUE, &parmKey);
     if (code == ERROR_SUCCESS) {
         len = sizeof(enableKFW);
         code = RegQueryValueEx(parmKey, "EnableKFW", NULL, NULL,
                                 (BYTE *) &enableKFW, &len);
         if (code != ERROR_SUCCESS) {
-            enableKFW = 1;
+            RegCloseKey(parmKey);
+
+            code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName,
+                                 0, KEY_QUERY_VALUE, &parmKey);
+            if (code == ERROR_SUCCESS) {
+                len = sizeof(enableKFW);
+                code = RegQueryValueEx(parmKey, "EnableKFW", NULL, NULL,
+                                        (BYTE *) &enableKFW, &len);
+                if (code != ERROR_SUCCESS)
+                    enableKFW = 1;
+            }
         }
         RegCloseKey (parmKey);
     }
-
     if ( !enableKFW )
         return FALSE;