--- title: Kerberos node description: Enables desktop single sign-on such that a user who has already authenticated with a Kerberos Key Distribution Center can authenticate to AM without having to provide the login information again. component: auth-node-ref version: 7.3 page_id: auth-node-ref::self-managed/auth-node-kerberos canonical_url: https://docs.pingidentity.com/auth-node-ref/7.3/self-managed/auth-node-kerberos.html section_ids: outcomes: Outcomes properties: Properties example: Example --- # Kerberos node Enables desktop single sign-on such that a user who has already authenticated with a Kerberos Key Distribution Center can authenticate to AM without having to provide the login information again. To achieve this, the user presents a Kerberos token to AM through the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) protocol. End users may need to set up Integrated Windows Authentication in Internet Explorer or Microsoft Edge to benefit from single sign-on when logged on to a Windows desktop. ## Outcomes * `True` * `False` Evaluation continues along the `True` path if Windows Desktop SSO is successful; otherwise, evaluation continues along the `False` path. ## Properties | Property | Usage | | --------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Service Principal | Specifies the Kerberos principal for authentication in the format `HTTP/AM-DOMAIN@AD-DOMAIN`, where *AM-DOMAIN* corresponds to the host and domain names of the AM instance, and *AD-DOMAIN* is the domain name of the Kerberos realm (the FQDN of the Active Directory domain). *AD-DOMAIN* can differ from the domain name for AM.In multi-instance AM deployments, configure *AM-DOMAIN* as the FQDN or IP address of the load balancer in front of the AM instances.For example, `HTTP/AM-LB.example.com@KERBEROSREALM.INTERNAL.COM`. | | Key Tab File Path | Specifies the full, absolute path of the keytab file for the specified Service Principal. You generate the keytab file using the Windows ktpass utility; for example: C:\\> ktpass -out fileName.keytab -princ HTTP/openam.example.com\@AD\_DOMAIN.COM -pass +rdnPass -maxPass 256 -mapuser amKerberos\@frdpcloud.com -crypto AES256-SHA1 -ptype KRB5\_NT\_PRINCIPAL -kvno 0 | | Kerberos Realm | Specifies the name of the Kerberos (Active Directory) realm used for authentication.Must be specified in ALL CAPS. | | Kerberos Server Name | Specifies the fully qualified domain name, or IP address of the Kerberos (Active Directory) server. | | Trusted Kerberos realms | Specifies a list of trusted Kerberos realms for user Kerberos tickets. If realms are configured, then Kerberos tickets are only accepted if the realm part of the user principal name of the user's Kerberos ticket matches a realm from the list.Each trusted Kerberos realm must be specified in all caps. | | Return Principal with Domain Name | When enabled, AM returns the fully qualified name of the authenticated user rather than just the username. | | Lookup User In Realm | Validates the user against the configured data stores. If the user from the Kerberos token is not found, evaluation continues along the `False` path.This search uses the `Alias Search Attribute Name` from the core realm attributes. For more information about this property, refer to [User profile](https://docs.pingidentity.com/pingam/7.3/authentication-guide/authn-core-settings.html#authn-core-user-profile). | | Is Initiator | When enabled (`true`), specifies that the node is using *initiator* credentials, which is the default.When disabled (`false`), specifies that the node is using *acceptor* credentials. | ## Example This flow attempts to authenticate the user with Windows Desktop SSO. If unsuccessful, AM requests the username and password for login. Meter nodes are used to track metrics for the various paths through the flow: ![An example that uses the Kerberos node](../_images/trees-node-kerberos-example.png)