You can enable Kerberos authentication for Windows users on the Kerberos Authentication tab.


Prior to enabling Kerberos authentication, you must make several Active Directory configuration changes to add the domain to PingFederate. For more information, see Configuring the Active Directory environment.

  1. Select the Configure Kerberos Authentication check box and provide the required information.
    For information about each field, refer to the following table.
    Field Description
    Realm Name Enter the fully qualified domain name.
    Realm Username Enter the service account that PingFederate can use to communicate with Active Directory for the purpose of Kerberos authentication.
    Realm Password Enter the service account password.
    Internal IP Ranges Enter one or more network ranges where PingFederate can try authenticating with the Kerberos protocol when handling requests originating from such IP addresses.

    Typically, these are internal network ranges with access to one or more key distribution centers (KDCs) in your domain.

    To remove an entry, select it from the list and then click Delete.

    KDC Hostnames


    Enter the host name or the IP address of the applicable KDC.

    This field is optional. Multiple hosts are allowed. If left unspecified, PingFederate uses a DNS query to find a list of KDCs.

    To remove an entry, select it from the list and then click Delete.

  2. Optional: To verify your configuration, click Test.

    When PingFederate returns multiple Key Distribution Centers (KDCs) as a result of a DNS query or as part of the configuration, the test stops when they succeed. As a result, PingFederate does not necessarily verify all KDCs.

  3. Click Next.

Kerberos authentication also requires browser-specific configuration. For more information, see Configuring end-user browsers.