If you have chosen to connect PingFederate to Microsoft Active Directory, the Kerberos Authentication screen becomes available. On the Kerberos Authentication screen, you can optionally enable Kerberos authentication for Windows users.


If you have not created or configured a service account for Kerberos authentication, see Configuring the Active Directory environment for additional steps. You must have Domain Administrator permissions to make the required changes.

  1. Select the Configure Kerberos Authentication check box and then provide the required information.
    For more information about each field, refer to the following table.
    Field Description
    Realm Name Enter the fully qualified domain name.
    Realm Username Enter the service account that PingFederate can use to communicate with Active Directory for the purpose of Kerberos authentication.
    Realm Password Enter the password associated with the service account.
    Internal IP Ranges Enter one or more network ranges where PingFederate can try authenticating via the Kerberos protocol when handling requests originating from such IP addresses.

    Typically, these are internal network ranges with access to one or more key distribution centers (KDCs) in your domain.

    To remove an entry, select it from the list and then click Delete.

    KDC Hostnames


    Enter the host name or the IP address of the applicable KDC.

    This field is optional. Multiple hosts are allowed. If left unspecified, PingFederate uses a DNS query to find a list of KDCs.

    To remove an entry, select it from the list and then click Delete.

  2. Click Next.

Kerberos authentication also requires browser-specific configuration. For more information, see Configuring end-user browsers.