Configuring the Active Directory environment
You can configure Active Directory to access a domain and enable Kerberos as an authentication option for it.
About this task
To enable Kerberos authentication, you must make several Active Directory configuration changes to grant PingFederate access to the domain and add the domain to PingFederate.
Do not configure subdomains if the parent domain in the same forest is already configured. For more information, see Multiple-domain support. |
You must have Domain Administrator permissions to make the required changes. |
Steps
-
Create a domain user account that PingFederate can use to contact the Kerberos Key Distribution Center (KDC). The account should belong to the Domain Users group. We recommend that you set the password with no expiration.
-
Use the Windows utility
setspn
to register Service Principal Name (SPN) directory properties for the account by executing the following command on the domain controller.setspn -s HTTP/<pf-idp.domain.name> <pf-server-account-name>
, where <pf-idp.domain.name> is the canonical name of the PingFederate server and <pf-server-account-name> is the domain account you want to use for Kerberos authentication. For more information on canonical name, see https://tools.ietf.org/html/rfc2181#section-10.When executing the
setspn
command, you must capitalizeHTTP
and follow it with a forward slash (/
). -
Verify that the registration was successful by executing the following command.
setspn -l <pf-server-account-name>
This gives you a list of SPNs for the account. Verify that
HTTP/<pf-idp.domain.name>
is one of them.After making an SPN change, any authenticated end users must re-authenticate by closing the browser or signing off and back on before attempting single sign-on (SSO).