PingOne

Troubleshooting Kerberos

I am unable to login using Kerberos through the PingOne gateway

If you have configured the PingOne gateway to support Kerberos authentication, but are still seeing a login screen, check the audit logs for any Kerberos failures. Learn more in Event types.Screen capture of kerberos example.

{
"id" : "f0509c78-9d00-4c69-92e0-6528d7cd5494",
"code" : "ACCESS_FAILED",
"message" : "The request could not be completed. You do not have access to this resource.",
"details" : [ {
"code" : "INVALID_TOKEN",
"message" : "Kerberos ticket is invalid"
} ]
}

The Kerberos ticket is invalid error shows the browser did submit a Kerberos ticket, but was invalid or otherwise unable to be processed.

This error occurs when:

The KDC is not issuing tickets with AES Encryption

  1. In Windows, open a command prompt and enter klist.

    There should be a ticket for the services for which you configured SPNs (for example, kerberos.pingone.com and d3vol3lyj0eg62.cloudfront.net). Learn more in Creating SPNs.

  2. Check the KerbTicket Encryption Type.

    If the KerbTicket Encryption Type is set to RSADSI RC4-HMAC, it will not be supported by PingOne, as PingOne requires AES Encryption.

    1. On your server, in Active Directory Users and Computers, find the user account that is attempting to access PingOne using Kerberos

    2. Right click the account and select Properties.

    3. Click the Account tab.

    4. In the Account Options section, select This account supports Kerberos AES 256 bit encryption.

    If there is a login error, you could need to purge existing Kerberos tickets.

  3. To purge tickets:

    1. Open a command prompt and enter klist purge.

    2. Sign off of Windows and sign back on.

    3. Attempt Kerberos authentication.

Discuss with your Active Directory admin the best way to ensure the KDC issues tickets using AES Encryption for all users.

The service account for the PingOne Gateway is not configured to use AES Encryption for Kerberos

  1. In Active Directory Users and Computers, find the service account you’ve configured for the PingOne Gateway Kerberos integration.

  2. Right click and select Properties.

  3. On the Account tab, in the Account Options section, select This account supports Kerberos AES 256 bit encryption.

  4. Restart the Gateway instance. Learn more in Starting a gateway instance.

  5. Confirm that Kerberos login is working.

    If Kerberos authentication is still not working, purge existing Kerberos tickets.

  6. To purge tickets:

    1. Open a command prompt and enter klist purge.

    2. Sign off of Windows and sign back on.

    3. Attempt Kerberos authentication.

  7. If Kerberos authentication is still not working, you must reset the password for the service account. Then, repeat step 6.