--- title: Adding Active Directory domains and Kerberos realms description: You can configure Active Directory domains or Kerberos realms that PingFederate uses to contact the domain controllers or the key distribution centers (KDCs) for verifying user authentication. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_adding_active_directory_domains_kerberos_realms canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_adding_active_directory_domains_kerberos_realms.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: December 15, 2025 section_ids: about-this-task: About this task adding-domains-and-realms-in-pingfederate-on-premise-deployments: Adding domains and realms in PingFederate on-premise deployments steps: Steps choose-from: Choose from: adding-domains-and-realms-in-pingfederate-cloud-deployments: Adding domains and realms in PingFederate cloud deployments before-you-begin: Before you begin steps-2: Steps adding-domains-and-realms-without-kdc-connectivity: Adding domains and realms without KDC connectivity steps-3: Steps choose-from-2: Choose from: --- # Adding Active Directory domains and Kerberos realms You can configure Active Directory domains or Kerberos realms that PingFederate uses to contact the domain controllers or the key distribution centers (KDCs) for verifying user authentication. ## About this task The steps for adding an Active Directory domain or Kerberos realm differ between on-premise PingFederate deployments and cloud PingFederate deployments. Follow the steps in the appropriate section for your deployment. ## Adding domains and realms in PingFederate on-premise deployments Use the following procedure when PingFederate is deployed on-premise. ### Steps 1. In the PingFederate admin console, go to the **Manage Domain/Realm** tab. 2. In the **Connection Type** list, select **Directly**. 3. In the **Domain/Realm Name** field, enter the fully-qualified domain or realm name. For example, companydomain.com. 4. For **Credential Storage**, click one of the following: ### Choose from: * Click **Internally Managed** to store credentials in PingFederate. * Click **Secret Manager** to store credentials in an external secret manager. Learn more in [Secret managers](pf_secret_managers.html). 5. In the **Domain/Realm Username** field, enter the ID for the domain or realm account name. 6. Depending on the **Credential Storage** option you chose, enter a domain password or reference. 1. In the **Domain/Realm Password** field, enter the password for the domain or realm account. 2. In the **Domain/Realm Password Reference** field, enter the password reference generated by your secret manager. 7. (Optional) Select the **Retain Previous Keys on Password Change** checkbox and click **Save** to avoid locking out end users with existing Kerberos tickets when the service account password is updated. PingFederate retains each previous key for the period specified in the **Key Set Retention Period** field on the **Manage Domain/Realm Settings** tab of the **Active Directory Domains/Kerberos Realms** page. The default period is 610 minutes. Learn more in [Managing domain connectivity settings](help_kerberosrealmstasklet_kerberosrealmssettingsstate.html). | | | | - | ------------------------------------------------------------------------------------ | | | To clear the previous keys from PingFederate, clear the checkbox and click **Save**. | This checkbox is selected by default. 8. In the **Domain Controller/Key Distribution Center Host Names** field, enter the host name or IP address of your domain controller or KDC, such as `dc01-yvr`, and then click **Add**. Repeat this step to add multiple servers. If a host name is used, PingFederate appends the domain to the host name to formulate the fully qualified domain name (FQDN) of the server unless the **Suppress DC/Domain Concatenation** checkbox is selected. If unspecified, PingFederate uses a DNS lookup. 9. (Optional) Select the **Suppress DC/Domain Concatenation** checkbox to specify the desired FQDNs under **Domain Controller/Key Distribution Center Host Names**. When selected, PingFederate doesn't append the domain to the host names. 10. (Optional) Click **Test Domain/Realm Connectivity** to test access to the domain controller or KDC from the administrative-console server. When a connection to any of the configured controllers or KDCs is successful, the message `Test Successful` appears. Otherwise, the test returns error messages near the top of the window. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | To help resolve connectivity issues, select the **Debug Log Output** checkbox on the **Manage Domain/Realm Settings** tab, run the test again, and review the debug messages in the PingFederate server log. | This test stops at the first successful result when multiple domain controllers or KDCs are specified, so not all servers are necessarily verified. Depending on the network architecture, the engine nodes deployed in a cluster could establish connections differently. As a result, the engine nodes and the console node might connect to different domain controllers or KDCs. 11. Click **Save**. ## Adding domains and realms in PingFederate cloud deployments Use the following procedure when PingFederate is deployed in a cloud. ### Before you begin * [Create an LDAP gateway in your PingOne environment](https://docs.pingidentity.com//pingone/integrations/p1_add_ldap_gateway.html) * [Create a connection between your PingFederate and PingOne environments](help_p1connections_p1connectioncreate.html) * [Configure an LDAP datastore](pf_configuring_p1_ldap_gateway_datastore.html) ### Steps 1. In the PingFederate admin console, go to the **Manage Domain/Realm** page. 2. In the **Connection Type** list, select **Through PingOne LDAP Gateway**. 3. In the **Domain/Realm Name** field, enter the fully-qualified domain or realm name. For example, companydomain.com. 4. In the **PingOne LDAP Gateway Data Store** list, select the datastore that was configured for the PingOne LDAP Gateway. 5. (Optional) Click the **Test Domain/Realm Connectivity** checkbox to test access to the domain controller or KDC from the administrative console server. When a connection to the configured PingOne LDAP Gateway is successful, the message `Test Successful` appears. Otherwise, the test returns error messages near the top of the window. 6. Click **Save**. ## Adding domains and realms without KDC connectivity Use the following procedure when PingFederate is deployed in the cloud without Key Distribution Center (KDC) *(tooltip: \
\

The Kerberos Key Distribution Center (KDC) authenticates the client and issues tickets allowing access to a server on the network.\

\
)* connectivity. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The Windows gMSA secret manager isn't supported when Kerberos domains and realms are added using the **Local Validation** connection type. If you want to use the Windows gMSA secret manager, use the **Direct** connection type. Learn more in [Configuring a secret manager for Windows gMSA](pf_configuring_secret_manager_windows_gmsa.html). | ### Steps 1. In the PingFederate admin console, go to the **Manage Domain/Realm** page. 2. In the **Connection Type** list, **Local Validation**. 3. In the **Domain/Realm Name** field, enter the fully-qualified domain or realm name. For example, companydomain.com. 4. For **Credential Storage**, click one of the following: ### Choose from: * Click **Internally Managed** to store credentials in PingFederate. * Click **Secret Manager** to store credentials in an external secret manager. Learn more in [Secret managers](pf_secret_managers.html). 5. In the **Domain/Realm Username** field, enter the ID for the domain or realm account name. | | | | - | --------------------------------------------------------------------------------------------------------------------------------- | | | **Domain/Realm Username** is case-sensitive. The value must match the username part of the service account's `userPrincipleName`. | 6. Depending on the **Credential Storage** option you chose, enter a domain password or reference. 1. In the **Domain/Realm Password** field, enter the password for the domain or realm account. 2. In the **Domain/Realm Password Reference** field, enter the password reference generated by your secret manager. 7. (Optional) Select the **Retain Previous Keys on Password Change** checkbox and click **Save** to avoid locking out end users with existing Kerberos tickets when the service account password is updated. PingFederate retains each previous key for the period specified in the **Key Set Retention Period** field on the **Manage Domain/Realm Settings** tab of the **Active Directory Domains/Kerberos Realms** page. The default period is 610 minutes. Learn more in [Managing domain connectivity settings](help_kerberosrealmstasklet_kerberosrealmssettingsstate.html). | | | | - | ------------------------------------------------------------------------------------ | | | To clear the previous keys from PingFederate, clear the checkbox and click **Save**. | This checkbox is selected by default. 8. Click **Save**.