Configure Active Directory to access a domain and enable Kerberos as an authentication option for it.
Do not configure subdomains if the parent domain in the same forest is already configured. For more information, see Multiple-domain support.
You must have Domain Administrator permissions to make the required changes.
- Create a domain user account that PingFederate can use to contact the Kerberos Key Distribution Center (KDC). The account should belong to the Domain Users group. We recommend that you set the password with no expiration.
Use the Windows utility setspn to register Service Principal
Name (SPN) directory properties for the account by executing the following command on
the domain controller.
setspn -s HTTP/<pf-idp.domain.name> <pf-server-account-name>, where <pf-idp.domain.name> is the canonical name of the PingFederate server and <pf-server-account-name> is the domain account you want to use for Kerberos authentication. For more information on canonical name, see https://tools.ietf.org/html/rfc2181#section-10.Note:
When executing the setspn command, you must capitalize
HTTPand follow it with a forward slash (
Verify that the registration was successful by executing the following
setspn -l <pf-server-account-name>
This gives you a list of SPNs for the account. Verify that
HTTP/<pf-idp.domain.name>is one of them.Note:
After making an SPN change, any authenticated end users must re-authenticate by closing the browser or signing off and back on before attempting single sign-on (SSO).