--- title: Configuring the Active Directory environment description: You can configure Active Directory (AD) to access a domain and enable Kerberos as an authentication option for it. component: pingfederate version: 13.0 page_id: pingfederate:administrators_reference_guide:pf_configuring_active_directory_environment canonical_url: https://docs.pingidentity.com/pingfederate/13.0/administrators_reference_guide/pf_configuring_active_directory_environment.html revdate: July 5, 2022 page_aliases: ["pf_config_activ_dir_environme.adoc"] section_ids: about-this-task: About this task before-you-begin: Before you begin steps: Steps --- # Configuring the Active Directory environment You can configure Active Directory (AD) *(tooltip: \
\

A directory service for Windows domain networks, included in most Windows Server operation systems.\

\
)* to access a domain and enable Kerberos *(tooltip: \
\

A network authentication protocol to provide strong authentication for client/server applications using symmetric key cryptography and a trusted authentication service (Key Distribution Center). The KDC authenticates the client and issues tickets allowing access to the server. Kerberos is the default authentication technology used by Microsoft.\

\
)* as an authentication option for it. ## About this task To enable Kerberos authentication, you must make several AD configuration changes to grant PingFederate access to the domain and add the domain to PingFederate. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Don't configure subdomains if you already configured the the parent domain in the same forest. Learn more in [Multiple-domain support](pf_mutliple_domain_supp.html). | ## Before you begin You must have Domain Administrator permissions in AD to make the required changes. ## Steps 1. In AD, create a domain user account that PingFederate can use to contact the Kerberos Key Distribution Center (KDC). The account must belong to the Domain Users group, and set the password with no expiration. 2. Use the `setspn` Windows utility to register Service Principal Name (SPN) directory properties for the account by executing the following command on the domain controller: ```shell setspn -s HTTP/ ``` The `` is the Canonical Name (CNAME) of the PingFederate server. The `` is the domain account you want to use for Kerberos authentication. Learn more about CNAME in [Naming issues](https://datatracker.ietf.org/doc/html/rfc2181#section-10). | | | | - | ----------------------------------------------------------------------------------------------------------- | | | When you execute the `setspn` command, you must capitalize `HTTP` and follow it with a forward slash (`/`). | 3. To verify that the registration was successful, execute the following command: ```shell setspn -l ``` This command returns a list of SPNs for the account. Verify that `HTTP/` is one of them. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | After you change an SPN, any authenticated end user must reauthenticate. The user must close the browser or sign off and back on before attempting single sign-on (SSO) *(tooltip: \
\

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\

\
)*. |