---
title: Configuring a Kerberos Token Processor instance
description: The integrated Kerberos Token Processor accepts and validates Kerberos tokens through a configured Kerberos realm.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:pf_config_kerberos_token_process_instance
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_config_kerberos_token_process_instance.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 5, 2022
section_ids:
  about-this-task: About this task
  steps: Steps
---

# Configuring a Kerberos Token Processor instance

The integrated Kerberos Token Processor accepts and validates Kerberos tokens through a configured Kerberos realm.

## About this task

It supports authentication mechanism assurance from Active Directory (AD) domain service, making it possible to restrict access to users authenticating through specific mechanisms. For more information, see [Authentication mechanism assurance](pf_auth_mechanism_assurance.html).

## Steps

1. Go to **Authentication > Token Exchange > Token Processors**.

2. On the **Instance Configuration** tab, select the applicable domain from the **Domain/Realm Name** list.

   An AD domain or a Kerberos realm must be configured for use with the Kerberos Token Processor. If the domain you want does not appear, click **Manage Active Directory Domains/Kerberos Realms** to add it. For more information, see [Active Directory and Kerberos](pf_active_directory_kerberos.html).

   |   |                                                                                                                                                                                                                                                                                                                      |
   | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | Kerberos tickets can be accepted from domains other than the domain configured in the token processor if there is a transient, two-way trust. This trust exists by default when domains are joined within a single server forest. For more information, see [Multiple-domain support](pf_mutliple_domain_supp.html). |