PingOne

Troubleshooting Kerberos authentication

I am unable to sign on using Kerberos through the PingOne gateway

If you’ve configured the PingOne gateway to support Kerberos authentication, but you’re still seeing a sign-on screen, check the audit logs for any Kerberos failures.

You can find a complete list of events logged in PingOne in Audit Reporting Events in the PingOne API documentation.

{
  "id": "f0509c78-9d00-4c69-92e0-6528d7cd5494",
  "code": "ACCESS_FAILED",
  "message": "The request could not be completed. You do not have access to this resource.",
  "details": [
    {
      "code": "INVALID_TOKEN",
      "message": "Kerberos ticket is invalid"
    }
  ]
}

The Kerberos ticket is invalid error indicates the browser submitted a Kerberos ticket, but the ticket was invalid or otherwise unable to be processed.

This error occurs when:

The KDC isn’t issuing tickets with AES encryption

  1. In Windows, open a command prompt and enter klist.

    There should be a ticket for the services for which you configured SPNs. For example, HTTP/kerberos.pingone.com and HTTP/d3vol3lyj0eg62.cloudfront.net.

    Learn more in Creating SPNs.

  2. Check the KerbTicket Encryption Type.

    If the KerbTicket Encryption Type is set to RSADSI RC4-HMAC, it will not be supported by PingOne, as PingOne requires AES encryption.

    1. On your server, in Active Directory Users and Computers, find the user account that is attempting to access PingOne using Kerberos.

    2. Right click the account and select Properties.

    3. Click the Account tab.

    4. In the Account Options section, select This account supports Kerberos AES 256 bit encryption.

    If there is a login error, you might need to purge existing Kerberos tickets.

  3. To purge tickets:

    1. Open a command prompt and enter klist purge.

    2. Sign off from Windows and sign back on.

    3. Attempt Kerberos authentication.

Discuss the best way to ensure that the Key Distribution Center (KDC) issues tickets using AES encryption for all users with your Active Directory (AD) admin.

The service account for the PingOne gateway isn’t configured to use AES encryption for Kerberos

  1. On a Windows-based computer, open Active Directory Users and Computers and locate the service account you configured for the PingOne LDAP gateway Kerberos integration.

  2. Right-click the service account and click Properties.

  3. On the Account tab, in the Account Options section, select the This account supports Kerberos AES 256 bit encryption checkbox.

  4. Restart the gateway instance.

    Learn more in Starting a gateway instance.

  5. Confirm that Kerberos authentication is working.

  6. If Kerberos authentication still isn’t working, purge existing Kerberos tickets:

    1. Open a command prompt and enter klist purge.

    2. Sign off from Windows and sign back on.

    3. Attempt Kerberos authentication.

  7. If Kerberos authentication still isn’t working after purging existing Kerberos tickets, reset the password for the service account and purge existing Kerberos tickets again.

A user is getting HTTP error 413 or 431

Kerberos tickets containing user group information can exceed the PingOne header size limit, causing PingOne to return HTTP error 413 Content Too Large or HTTP error 431 Request Header Fields Too Large.

The PingOne header size limit is 6 KB.

Reduce the number of groups the user is a member of so that the Kerberos ticket is smaller.