---
title: Setting up Kerberos authentication in PingFederate
description: Set up a Kerberos authentication adapter in PingFederate for a seamless user authentication experience from a Windows machine to your applications.
component: solution-guides
page_id: solution-guides:workforce_use_cases:htg_set_up_kerberos_authn_pf
canonical_url: https://docs.pingidentity.com/solution-guides/workforce_use_cases/htg_set_up_kerberos_authn_pf.html
revdate: July 15, 2022
page_aliases: ["workforce_use_cases:htg_set_up_kerberos_authn_pf_config_realm.adoc", "workforce_use_cases:htg_set_up_kerberos_authn_pf_config_idp_adapter.adoc"]
section_ids:
  component: Component
  configure-ad-domain-kerberos-realm: Configuring the Active Directory domain/Kerberos realm
  steps: Steps
  configuring-the-idp-adapter: Configuring the IdP adapter
  before-you-begin: Before you begin
  steps-2: Steps
---

# Setting up Kerberos authentication in PingFederate

Set up a Kerberos authentication adapter in PingFederate for a seamless user authentication experience from a Windows machine to your applications.

This allows your user to access connected applications in PingFederate seamlessly from a domain-joined Windows machine without being prompted for additional authentication credentials. Learn more on PingFederate in [Introduction to PingFederate](https://docs.pingidentity.com/pingfederate/latest/introduction_to_pingfederate/pf_intro_to_pf.html).

## Component

PingFederate 10.1

## Configuring the Active Directory domain/Kerberos realm

Configure an Active Directory (AD) domain/Kerberos realm in PingFederate.

### Steps

1. In the PingFederate administrative console, go to **System > Data & Credential Stores > Active Directory Domains/Kerberos Realms**.

2. Click **Add Domain/Realm**.

3. In the **Domain/Realm Name**, **Domain/Realm Username**, and **Domain/Realm Password** fields, enter the appropriate information.

   ![Screen capture of the Active Directory Domains/Kerberos Realms Manage Domain/Realm window showing the required Domain/Realm Name, Domain/Realm Username, and Domain/Realm Password fields.](_images/dyz1612380988895.jpg)

4. Click **Test Domain/Realm Connectivity** to ensure you can establish a connection, and then click **Done**.

5. On the **Manage Domain/Realms** tab, click **Next**.

   ![Screen capture of the Manage Domains/Realms tab.](_images/nau1612381176846.jpg)

## Configuring the IdP adapter

Configure a new Kerberos adapter instance in PingFederate.

### Before you begin

* Ensure you have an [AD domain configured](#configure-ad-domain-kerberos-realm) as a datastore in PingFederate that can be used to validate Kerberos tickets.

* Create a user in Active Directory (AD) who can read from the directory.

### Steps

1. In the PingFederate administrative console, go to **Authentication > IdP Adapters**.

   ![Screen capture of the Authentication window showing the IdP Adapters option as the second option in the first row.](_images/agg1605286135183.png)

2. Click **Create New Instance**.

3. On the **Type** tab, in the **Instance Name** and **Instance ID** fields, enter a name and ID.

4. In the **Type** list, select **Kerberos Adapter**, and then click **Next**.

   ![Screen capture of the Type tab showing the Instance Name, Instance ID, type and Parent Instance fields.](_images/rho1605286348542.png)

5. On the **IdP Adapter** tab, select the **Domain/Realm Name** you used when adding AD as a datastore.

6. Click **Manage Active Directory Domains/Kerberos Realms**

   ![Screen capture of the IdP Adapter tab showing the Domain/Realm Name and Error URL redirect fields.](_images/jrz1605286615664.png)

7. In the **Manage Domain/Realm** window, in the **Domain/Realm Name**, **Domain/Realm Username**, and **Domain/Realm Password** fields, enter the information from your AD environment.

   ![Screen capture of the Manage Domain/Realm window showing the domain/Realm Name, Domain/Realm Username, Domain/Realm Password fields. Below those are the options for Domain Controller/Key Distributions Center Host Names.](_images/ucb1605286702687.png)

8. Click **Test Domain/Realm Connectivity** to test your connection, then click **Done**.

9. On the **IdP Adapter** tab, click **Next**.

10. On the **Extended Contract** tab, click **Next**.

11. On the **Adapter Attributes** tab, select the **Username Pseudonym** checkbox. Click **Next**.

    ![Screen capture of the Adapter Attributes tab showing checkboxes for the option to use Pseudonyms or Mask Log Values for each attribute.](_images/dbk1605287007023.png)

12. On the **Adapter Contact Mapping** tab, click **Next**.

13. On the **Summary** tab, review your entries. Click **Save**.