If your network uses multiple domains in a single server forest, configure one domain within PingFederate if there is a trust relationship with the other domains you want to use. This configuration requires a trust relationship among domains, which is established by default when subdomains or separate domains are created within the same forest. For more information, see How Domain and Forest Trusts Work (technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx) from Microsoft.


If you are configuring only one domain, then you also need to configure only one Service Principal Name (see Configuring the Active Directory environment).

If your network topology consists of multiple forests without a trust relationship between them, you must configure multiple adapter or token processor instances; map each instance a separate domain and then map these adapter or token processor instances to your SP connections that authenticate using the integrated Kerberos Adapter, the integrated Kerberos Token Processor, or the (separately available) IWA Adapter.

For information about configuring the PingFederate Integrated Windows Authentication (IWA) adapter for multiple-domain Active Directory trusts, see https://support.pingidentity.com/s/article/How-to-configure-IWA-with-multiple-Active-Directory-trusts.