This configuration requires a trust relationship among domains, which is established by default when subdomains or separate domains are created within the same forest. For more information, see


If you are configuring only one domain, then you also need to configure only one Service Principal Name. For more information, see Configuring the Active Directory environment.

If your network topology consists of multiple forests without a trust relationship between them, you must configure multiple adapter or token processor instances. Map each instance to a separate domain and then map these adapter or token processor instances to your service provider (SP) connections that authenticate using the integrated Kerberos Adapter or the integrated Kerberos Token Processor.

For information about configuring Kerberos authentication for multiple-domain Active Directory trusts, see in the Ping Identity Support Portal.