PingFederate Server

Adding Active Directory domains and Kerberos realms

You can configure Active Directory domains or Kerberos realms that PingFederate uses to contact the domain controllers or the key distribution centers (KDCs) for verifying user authentication.

About this task

The procedure for adding an Active Directory domain or Kerberos realm depends on whether PingFederate is deployed on-premise or in a cloud. Perform the procedure on one of the following tabs.

  • PingFederate on-premise

  • PingFederate in a cloud

  • PingFederate without KDC connectivity

Adding domains and realms when PingFederate is on-premise

When PingFederate is deployed on-premise, use the following procedure.

Steps

  1. In the Manage Domain/Realm window, configure the following settings.

    Field Description

    Connection Type

    Select Direct.

    Domain/Realm Name

    The fully-qualified domain or realm name. For example, companydomain.com.

    Domain/Realm Username

    The ID for the domain or realm account name.

    Domain/Realm Password

    The password for the domain or realm account.

    Retain Previous Keys on Password Change

    Select this check box and click Save to avoid locking out end users with existing Kerberos tickets when the service account password is updated.

    PingFederate retains each previous key for the period specified in the Key Set Retention Period field on the Manage Domain/Realm Settings tab of the Active Directory Domains/Kerberos Realms window. The default period is 610 minutes. For more information, see Managing domain connectivity settings.

    To clear the previous keys from PingFederate, clear the check box and click Save.

    This check box is selected by default.

    Domain Controller/Key Distribution Center Host Names

    (optional)

    Specify the host name or IP address of your domain controller or KDC, such as dc01-yvr, and then click Add. Repeat this step to add multiple servers.

    If a host name is used, PingFederate appends the domain to the host name to formulate the fully qualified domain name (FQDN) of the server unless the Suppress DC/Domain Concatenation check box is selected.

    If unspecified, PingFederate uses a DNS lookup.

    Suppress DC/Domain Concatenation

    Select this check box to specify the desired FQDNs under Domain Controller/Key Distribution Center Host Names. When selected, PingFederate does not append the domain to the host names.

    Test Domain/Realm Connectivity

    Tests access to the domain controller or KDC from the administrative-console server.

    When a connection to any of the configured controllers or KDCs is successful, the message Test Successful appears. Otherwise, the test returns error messages near the top of the window.

    For help resolving connectivity issues, select the Debug Log Output check box on the Manage Domain/Realm Settings window, run the test again, and review the debug messages in the PingFederate server log.

    This test stops at the first successful result when multiple domain controllers or KDCs are specified, so not all servers are necessarily verified. Depending on the network architecture, the engine nodes deployed in a cluster might establish connections differently. As a result, the engine nodes and the console node might connect to different domain controllers or KDCs.

  2. Click Save.

Adding domains and realms when PingFederate is in a cloud

When PingFederate is deployed in a cloud, use the following procedure.

Before you begin

Ensure that PingFederate has a connection to a PingOne LDAP Gateway. For more information, see Gateways in the documentation for the PingOne Cloud Platform.

Steps

  1. In the Manage Domain/Realm window, configure the following settings.

    Field Description

    Connection Type

    Select Through PingOne LDAP Gateway.

    Domain/Realm Name

    The fully-qualified domain or realm name. For example, companydomain.com.

    PingOne LDAP Gateway Data Store

    Select the datastore that was configured for the PingOne LDAP Gateway.

    Test Domain/Realm Connectivity

    Tests access to the domain controller or KDC from the administrative console server. When a connection to the configured PingOne LDAP Gateway is successful, the message Test Successful appears. Otherwise, the test returns error messages near the top of the window.

  2. Click Save.

Adding domains and realms without KDC connectivity

When PingFederate is deployed in the cloud without Key Distribution Center (KDC) connectivity, use the following procedure.

Steps

  1. On the Manage Domain/Realm page, configure the following settings:

    Field Description

    Connection Type

    Select Local Validation.

    Domain/Realm Name

    The fully-qualified domain or realm name.

    For example, companydomain.com.

    Domain/Realm Username

    The ID for the domain or realm account name.

    Domain/Realm Username is case sensitive. The value must match the username part of the service account’s userPrincipleName.

    Domain/Realm Password

    The password for the domain or realm account.

    Retain Previous Keys on Password Change

    Select this checkbox and click Save to avoid locking out end users with existing Kerberos tickets when the service account password is updated.

    PingFederate retains each previous key for the period specified in the Key Set Retention Period field on the Manage Domain/Realm Settings tab of the Active Directory Domains/Kerberos Realms page. The default period is 610 minutes. Learn more in Managing domain connectivity settings.

    To clear the previous keys from PingFederate, clear the checkbox and click Save.

    This checkbox is selected by default.

  2. Click Save.