Configuring the Active Directory environment - PingFederate - 11.2

PingFederate Server

bundle
pingfederate-112
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.2
category
Administrator
Administratorguide
Audience
Capability
ContentType
DeploymentMethod
Guide
Product
Productdocumentation
SingleSignonSSO
Software
SystemAdministrator
pf-112
pingfederate
ContentType_ce
Guide
Guide > Administrator Guide
Product documentation

You can configure Active Directory to access a domain and enable Kerberos as an authentication option for it.

To enable Kerberos authentication, you must make several Active Directory configuration changes to grant PingFederate access to the domain and add the domain to PingFederate.
Important:

Do not configure subdomains if the parent domain in the same forest is already configured. For more information, see Multiple-domain support.

Note:

You must have Domain Administrator permissions to make the required changes.

  1. Create a domain user account that PingFederate can use to contact the Kerberos Key Distribution Center (KDC). The account should belong to the Domain Users group. We recommend that you set the password with no expiration.
  2. Use the Windows utility setspn to register Service Principal Name (SPN) directory properties for the account by executing the following command on the domain controller.
    setspn -s HTTP/<pf-idp.domain.name> <pf-server-account-name> , where <pf-idp.domain.name> is the canonical name of the PingFederate server and <pf-server-account-name> is the domain account you want to use for Kerberos authentication. For more information on canonical name, see https://tools.ietf.org/html/rfc2181#section-10.
    Note:

    When executing the setspn command, you must capitalize HTTP and follow it with a forward slash (/).

  3. Verify that the registration was successful by executing the following command.
    setspn -l <pf-server-account-name>

    This gives you a list of SPNs for the account. Verify that HTTP/<pf-idp.domain.name> is one of them.

    Note:

    After making an SPN change, any authenticated end users must re-authenticate by closing the browser or signing off and back on before attempting single sign-on (SSO).