PingID Administration Guide

Configuring Kerberos proxy authentication for the PingID desktop app

The PingID app supports proxy authentication using the Kerberos protocol, delegating the machine credentials for authentication to the organizational proxy.

Before you begin

Install the PingID desktop app 1.5.2 or later.

About this task

The PingID desktop app supports proxy authentication using the Kerberos protocol, delegating the machine credentials for authentication to the organizational proxy. The HTTP client uses Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) to negotiate the authentication method.

When Kerberos is the agreed protocol, the client uses a ticket generated by the Key Distribution Center (KDC) for the proxy authentication that can be used multiple times. The Kerberos ticket expiry period might vary according to the KDC configuration.

Steps

  1. Ensure that a Kerberos token is initialized on the user’s operating system.

    1. From the command line or terminal window, run klist to verify that a valid Kerberos token is available.

  2. From the command line or terminal window, enter the following command:

    Choose from:

    • Windows:

      "C:\Program Files(x86)\Ping Identity\PingID\ProxyHelperSetup.exe"
      <host> <port> -kerberos
    • Mac:

      sudo /Applications/PingID.app/Contents/MacOS/ProxyHelperSetup
      <host> <port> -kerberos
  3. From the command line or terminal window, enter the following command to test Proxy Auto Configuration (PAC) with Kerberos:

    Choose from:

    • Windows:

      "C:\Program Files(x86)\Ping Identity\PingID\ProxyHelperSetup.exe"
      -pac -kerberos
    • Mac:

      sudo /Applications/PingID.app/Contents/MacOS/ProxyHelperSetup -pac -kerberos