PingFederate Server

Configuring the Active Directory environment

You can configure Active Directory (AD) to access a domain and enable Kerberos as an authentication option for it.

About this task

To enable Kerberos authentication, you must make several AD configuration changes to grant PingFederate access to the domain and add the domain to PingFederate.

Don’t configure subdomains if you already configured the the parent domain in the same forest. Learn more in Multiple-domain support.

Before you begin

You must have Domain Administrator permissions in AD to make the required changes.

Steps

  1. In AD, create a domain user account that PingFederate can use to contact the Kerberos Key Distribution Center (KDC). The account must belong to the Domain Users group, and set the password with no expiration.

  2. Use the setspn Windows utility to register Service Principal Name (SPN) directory properties for the account by executing the following command on the domain controller:

    setspn -s HTTP/<pf-idp.domain.name> <pf-server-account-name>

    The <pf-idp.domain.name> is the Canonical Name (CNAME) of the PingFederate server. The <pf-server-account-name> is the domain account you want to use for Kerberos authentication. Learn more about CNAME in Naming issues.

    When you execute the setspn command, you must capitalize HTTP and follow it with a forward slash (/).

  3. To verify that the registration was successful, execute the following command:

    setspn -l <pf-server-account-name>

    This command returns a list of SPNs for the account. Verify that HTTP/<pf-idp.domain.name> is one of them.

    After you change an SPN, any authenticated end user must reauthenticate. The user must close the browser or sign off and back on before attempting single sign-on (SSO).