PingOne

Troubleshooting Kerberos

I am unable to sign on using Kerberos through the PingOne gateway

If you’ve configured the PingOne gateway to support Kerberos authentication, but you’re still seeing a sign-on screen, check the audit logs for any Kerberos failures.

You can find a complete list of events logged in PingOne in Audit Reporting Events in the PingOne API documentation.

Screen capture of kerberos example.

{
"id" : "f0509c78-9d00-4c69-92e0-6528d7cd5494",
"code" : "ACCESS_FAILED",
"message" : "The request could not be completed. You do not have access to this resource.",
"details" : [ {
"code" : "INVALID_TOKEN",
"message" : "Kerberos ticket is invalid"
} ]
}

The Kerberos ticket is invalid error indicates the browser submitted a Kerberos ticket, but the ticket was invalid or otherwise unable to be processed.

This error occurs when:

The KDC isn’t issuing tickets with AES Encryption

  1. In Windows, open a command prompt and enter klist.

    There should be a ticket for the services for which you configured SPNs. For example, HTTP/kerberos.pingone.com and HTTP/d3vol3lyj0eg62.cloudfront.net.

    Learn more in Creating SPNs.

  2. Check the KerbTicket Encryption Type.

    If the KerbTicket Encryption Type is set to RSADSI RC4-HMAC, it will not be supported by PingOne, as PingOne requires AES Encryption.

    1. On your server, in Active Directory Users and Computers, find the user account that is attempting to access PingOne using Kerberos.

    2. Right click the account and select Properties.

    3. Click the Account tab.

    4. In the Account Options section, select This account supports Kerberos AES 256 bit encryption.

    If there is a login error, you might need to purge existing Kerberos tickets.

  3. To purge tickets:

    1. Open a command prompt and enter klist purge.

    2. Sign off from Windows and sign back on.

    3. Attempt Kerberos authentication.

Discuss with your Active Directory admin the best way to ensure the Key Distribution Center (KDC) issues tickets using AES Encryption for all users.

The service account for the PingOne gateway isn’t configured to use AES Encryption for Kerberos

  1. In Active Directory Users and Computers, find the service account you’ve configured for the PingOne gateway Kerberos integration.

  2. Right click the account and select Properties.

  3. On the Account tab, in the Account Options section, select This account supports Kerberos AES 256 bit encryption.

  4. Restart the gateway instance. Learn more in Starting a gateway instance.

  5. Confirm that Kerberos sign-on working.

    If Kerberos authentication still isn’t working, purge existing Kerberos tickets.

  6. To purge tickets:

    1. Open a command prompt and enter klist purge.

    2. Sign off from Windows and sign back on.

    3. Attempt Kerberos authentication.

  7. If Kerberos authentication still isn’t working, you must reset the password for the service account. Then, repeat step 6.

A user is getting an HTTP error 431

Kerberos tickets containing user group information can exceed the PingOne header size limit, causing PingOne to return HTTP error 431 Request Header Fields Too Large.

The PingOne header size limit is 6 KB

Reduce the number of groups the user is a member of so that the Kerberos ticket is smaller.