---
title: Creating SPNs
description: To enable Kerberos authentication, you must configure two service principal names (SPNs).
component: pingone
page_id: pingone:integrations:p1_creating_spns
canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_creating_spns.html
revdate: May 23, 2024
section_ids:
  steps: Steps
---

# Creating SPNs

To enable Kerberos authentication, you must configure two service principal names (SPNs).

An SPN is a unique identifier of a service instance and is used by Kerberos to associate a service with a DNS domain. When a Kerberos authentication challenge is issued by a URL, the SPN ensures that Windows generates a credential that can only be validated by that service account.

Use the Windows utility `setspn` to configure two SPNs for each PingOne geography. Learn more about how to find the SPNs for the different PingOne geographies in [SPN reference](p1_spn_reference.html).

|   |                                                         |
| - | ------------------------------------------------------- |
|   | You can also use ADSI Edit to configure the SPN values. |

The purpose of two SPNs is future proofing. Ping Identity will migrate its infrastructure in the coming months. Adding the second `HTTP/kerberos.pingone.com` SPN ensures that your configuration will continue to work after the migration.

## Steps

1. On the domain controller, open a command prompt as an administrator.

2. Enter the following command: `setspn -S HTTP/<geoPingOneaddress> <sAMAccountName>`

   where `<geoPingOneaddress>` is the SPN you want to add, and `<sAMAccountName>` is the service account name that you want to update.

   |   |                                                                                                                                                                                                                                                                                                                                                                                |
   | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
   |   | Although you can use the same service account previously created for LDAP operations, you should use a second dedicated service account used only for Kerberos authentication.When you run the `setspn` command, you must capitalize `HTTP` and follow it with a forward slash (`/`).For example: `setspn -S HTTP/d3vol3lyj0eg62.cloudfront.net ping-one-kerberos-svc-account` |