If you have chosen to connect PingFederate to Microsoft Active Directory, the Kerberos Authentication screen becomes available. On the Kerberos Authentication screen, you can optionally enable Kerberos authentication for Windows users.

Note:

Prior to enabling Kerberos authentication, you must make several Active Directory configuration changes to grant PingFederate Bridge access to the domain and add the domain to PingFederate Bridge. For more information, see Configuring the Active Directory environment.

  1. Select the Configure Kerberos Authentication check box and then provide the required information.
    For more information about each field, refer to the following table.
    Field Description
    Realm Name Enter the fully qualified domain name.
    Realm Username Enter the service account that PingFederate can use to communicate with Active Directory for the purpose of Kerberos authentication.
    Realm Password Enter the password associated with the service account.
    Internal IP Ranges Enter one or more network ranges where PingFederate can try authenticating via the Kerberos protocol when handling requests originating from such IP addresses.

    Typically, these are internal network ranges with access to one or more key distribution centers (KDCs) in your domain.

    To remove an entry, select it from the list and then click Delete.

    KDC Hostnames

    (Optional)

    Enter the host name or the IP address of the applicable KDC.

    This field is optional. Multiple hosts are allowed. If left unspecified, PingFederate uses a DNS query to find a list of KDCs.

    To remove an entry, select it from the list and then click Delete.

  2. Optional: Click Test to verify your configuration.

    The administrative console returns the test result when the test completes.

    Note:

    When multiple KDCs are returned as a result of a DNS query or provided as part of the configuration, this test stops when it succeeds. As a result, not all KDCs are necessarily verified.

  3. Click Next.

You must also configure browsers at your site in order to use the Kerberos Adapter to authenticate users. For more information, see Configuring end-user browsers.