Creating SPNs
To enable Kerberos authentication, you must configure two service principal names (SPNs).
About this task
An SPN is a unique identifier of a service instance. SPNs are used by Kerberos to associate a service with a domain.
Use the Windows utility setspn
to configure two SPNs for each PingOne region. To find the SPNs for various PingOne regions, see SPN reference.
You can also use ADSI Edit to configure the SPN values. |
The purpose of two SPNs is future proofing. Ping Identity will migrate its infrastructure in the coming months. Adding the second HTTP/kerberos.pingone.com
SPN ensures that your configuration will continue to work after the migration.
Steps
-
On the domain controller, open a command prompt as an administrator.
-
Enter the following command
setspn -S HTTP/<regionalPingOneaddress> <sAMAccountName>
where
<regionalPingOneaddress>
is the SPN you want to add and<sAMAccountName>
is the service account name that you want to update.When you run the
setspn
command, you must capitalizeHTTP
and follow it with a forward slash (/
).For example,
setspn -S HTTP/d3vol3lyj0eg62.cloudfront.net ping-one-kerberos-svc-account
To find the SPNs for various PingOne regions, see SPN reference.