PingOne

Creating SPNs

To enable Kerberos authentication, you must configure two service principal names (SPNs).

An SPN is a unique identifier of a service instance and is used by Kerberos to associate a service with a DNS domain. When a Kerberos authentication challenge is issued by a URL, the SPN ensures that Windows generates a credential that can only be validated by that service account.

Use the Windows utility setspn to configure two SPNs for each PingOne geography. Learn more about how to find the SPNs for the different PingOne geographies in SPN reference.

You can also use ADSI Edit to configure the SPN values.

The purpose of two SPNs is future proofing. Ping Identity will migrate its infrastructure in the coming months. Adding the second HTTP/kerberos.pingone.com SPN ensures that your configuration will continue to work after the migration.

Steps

  1. On the domain controller, open a command prompt as an administrator.

  2. Enter the following command: setspn -S HTTP/<geoPingOneaddress> <sAMAccountName>

    where <geoPingOneaddress> is the SPN you want to add, and <sAMAccountName> is the service account name that you want to update.

    Although you can use the same service account previously created for LDAP operations, you should use a second dedicated service account used only for Kerberos authentication.

    When you run the setspn command, you must capitalize HTTP and follow it with a forward slash (/).

    For example: setspn -S HTTP/d3vol3lyj0eg62.cloudfront.net ping-one-kerberos-svc-account