Microsoft Active Directory is the only directory that supports Kerberos for authentication, so when you add the gateway connection, select Microsoft Active Directory for Directory type. For more information, see Adding an LDAP gateway.

End user authentication flow

With Kerberos authentication properly configured, the end user authentication flow will behave as follows.

First, PingOne tries to authenticate the end user through Kerberos. This is a seamless experience and requires no user interaction.

If Kerberos authentication succeeds, the Login step is complete. If the authentication policy has an MFA step, the end user will proceed to MFA. When the end user completes all steps, PingOne redirects the browser to the target application.

If Kerberos authentication fails, PingOne tries to authenticate the end user by showing the Sign On page with user name and password fields.

If the end user provides the correct credentials, the Login step is complete. If the authentication policy has an MFA step, the end user will proceed to MFA. When the end user completes all steps, PingOne redirects the browser to the target application.

If the end user fails to provide the correct credentials, PingOne returns a sign-on error to the browser.

The following illustration shows the authentication flow.

Kerberos authentication flow