Adding Active Directory domains and Kerberos realms
You can configure Active Directory domains or Kerberos realms that PingFederate uses to contact the domain controllers or the key distribution centers (KDCs) for verifying user authentication.
About this task
The procedure for adding an Active Directory domain or Kerberos realm depends on whether PingFederate is deployed on-premise or in a cloud. Perform the procedure on one of the following tabs.
-
PingFederate on-premise
-
PingFederate in a cloud
-
PingFederate without KDC connectivity
Adding domains and realms when PingFederate is on-premise
When PingFederate is deployed on-premise, use the following procedure.
Steps
-
In the Manage Domain/Realm window, configure the following settings.
Field Description Connection Type
Select Direct.
Domain/Realm Name
The fully-qualified domain or realm name. For example, companydomain.com.
Domain/Realm Username
The ID for the domain or realm account name.
Domain/Realm Password
The password for the domain or realm account.
Retain Previous Keys on Password Change
Select this check box and click Save to avoid locking out end users with existing Kerberos tickets when the service account password is updated.
PingFederate retains each previous key for the period specified in the Key Set Retention Period field on the Manage Domain/Realm Settings tab of the Active Directory Domains/Kerberos Realms window. The default period is 610 minutes. For more information, see Managing domain connectivity settings.
To clear the previous keys from PingFederate, clear the check box and click Save.
This check box is selected by default.
Domain Controller/Key Distribution Center Host Names
(optional)
Specify the host name or IP address of your domain controller or KDC, such as
dc01-yvr
, and then click Add. Repeat this step to add multiple servers.If a host name is used, PingFederate appends the domain to the host name to formulate the fully qualified domain name (FQDN) of the server unless the Suppress DC/Domain Concatenation check box is selected.
If unspecified, PingFederate uses a DNS lookup.
Suppress DC/Domain Concatenation
Select this check box to specify the desired FQDNs under Domain Controller/Key Distribution Center Host Names. When selected, PingFederate does not append the domain to the host names.
Test Domain/Realm Connectivity
Tests access to the domain controller or KDC from the administrative-console server.
When a connection to any of the configured controllers or KDCs is successful, the message
Test Successful
appears. Otherwise, the test returns error messages near the top of the window.For help resolving connectivity issues, select the Debug Log Output check box on the Manage Domain/Realm Settings window, run the test again, and review the debug messages in the PingFederate server log.
This test stops at the first successful result when multiple domain controllers or KDCs are specified, so not all servers are necessarily verified. Depending on the network architecture, the engine nodes deployed in a cluster might establish connections differently. As a result, the engine nodes and the console node might connect to different domain controllers or KDCs.
-
Click Save.
Adding domains and realms when PingFederate is in a cloud
When PingFederate is deployed in a cloud, use the following procedure.
Before you begin
Ensure that PingFederate has a connection to a PingOne LDAP Gateway. For more information, see Gateways in the documentation for the PingOne Cloud Platform.
Steps
-
In the Manage Domain/Realm window, configure the following settings.
Field Description Connection Type
Select Through PingOne LDAP Gateway.
Domain/Realm Name
The fully-qualified domain or realm name. For example, companydomain.com.
PingOne LDAP Gateway Data Store
Select the datastore that was configured for the PingOne LDAP Gateway.
Test Domain/Realm Connectivity
Tests access to the domain controller or KDC from the administrative console server. When a connection to the configured PingOne LDAP Gateway is successful, the message
Test Successful
appears. Otherwise, the test returns error messages near the top of the window. -
Click Save.
Adding domains and realms without KDC connectivity
When PingFederate is deployed in the cloud without Key Distribution Center (KDC) connectivity, use the following procedure.
Steps
-
On the Manage Domain/Realm page, configure the following settings:
Field Description Connection Type
Select Local Validation.
Domain/Realm Name
The fully-qualified domain or realm name.
For example,
companydomain.com
.Domain/Realm Username
The ID for the domain or realm account name.
Domain/Realm Username is case sensitive. The value must match the username part of the service account’s
userPrincipleName
.Domain/Realm Password
The password for the domain or realm account.
Retain Previous Keys on Password Change
Select this checkbox and click Save to avoid locking out end users with existing Kerberos tickets when the service account password is updated.
PingFederate retains each previous key for the period specified in the Key Set Retention Period field on the Manage Domain/Realm Settings tab of the Active Directory Domains/Kerberos Realms page. The default period is 610 minutes. Learn more in Managing domain connectivity settings.
To clear the previous keys from PingFederate, clear the checkbox and click Save.
This checkbox is selected by default.
-
Click Save.