PingFederate Server

Adding Active Directory domains and Kerberos realms

You can configure Active Directory domains or Kerberos realms that PingFederate uses to contact the domain controllers or the key distribution centers (KDCs) for verifying user authentication.

About this task

The steps for adding an Active Directory domain or Kerberos realm differ between on-premise PingFederate deployments and cloud PingFederate deployments. Follow the steps in the appropriate section for your deployment.

Adding domains and realms in PingFederate on-premise deployments

Use the following procedure when PingFederate is deployed on-premise.

Steps

  1. In the PingFederate admin console, go to the Manage Domain/Realm tab.

  2. In the Connection Type list, select Directly.

  3. In the Domain/Realm Name field, enter the fully-qualified domain or realm name. For example, companydomain.com.

  4. In the Domain/Realm Username field, enter the ID for the domain or realm account name.

  5. In the Domain/Realm Password field, enter the password for the domain or realm account.

  6. (Optional) Select the Retain Previous Keys on Password Change checkbox and click Save to avoid locking out end users with existing Kerberos tickets when the service account password is updated.

    PingFederate retains each previous key for the period specified in the Key Set Retention Period field on the Manage Domain/Realm Settings tab of the Active Directory Domains/Kerberos Realms page. The default period is 610 minutes. Learn more in Managing domain connectivity settings.

    To clear the previous keys from PingFederate, clear the checkbox and click Save.

    This checkbox is selected by default.

  7. In the Domain Controller/Key Distribution Center Host Names field, enter the host name or IP address of your domain controller or KDC, such as dc01-yvr, and then click Add. Repeat this step to add multiple servers.

    If a host name is used, PingFederate appends the domain to the host name to formulate the fully qualified domain name (FQDN) of the server unless the Suppress DC/Domain Concatenation checkbox is selected.

    If unspecified, PingFederate uses a DNS lookup.

  8. (Optional) Select the Suppress DC/Domain Concatenation checkbox to specify the desired FQDNs under Domain Controller/Key Distribution Center Host Names.

    When selected, PingFederate doesn’t append the domain to the host names.

  9. (Optional) Click Test Domain/Realm Connectivity to test access to the domain controller or KDC from the administrative-console server.

    When a connection to any of the configured controllers or KDCs is successful, the message Test Successful appears. Otherwise, the test returns error messages near the top of the window.

    To help resolve connectivity issues, select the Debug Log Output checkbox on the Manage Domain/Realm Settings tab, run the test again, and review the debug messages in the PingFederate server log.

    This test stops at the first successful result when multiple domain controllers or KDCs are specified, so not all servers are necessarily verified. Depending on the network architecture, the engine nodes deployed in a cluster could establish connections differently. As a result, the engine nodes and the console node might connect to different domain controllers or KDCs.

  10. Click Save.

Adding domains and realms in PingFederate cloud deployments

Use the following procedure when PingFederate is deployed in a cloud.

Before you begin

Steps

  1. In the PingFederate admin console, go to the Manage Domain/Realm page.

  2. In the Connection Type list, select Through PingOne LDAP Gateway.

  3. In the Domain/Realm Name field, enter the fully-qualified domain or realm name. For example, companydomain.com.

  4. In the PingOne LDAP Gateway Data Store list, select the datastore that was configured for the PingOne LDAP Gateway.

  5. (Optional) Click the Test Domain/Realm Connectivity checkbox to test access to the domain controller or KDC from the administrative console server.

    When a connection to the configured PingOne LDAP Gateway is successful, the message Test Successful appears. Otherwise, the test returns error messages near the top of the window.

  6. Click Save.