Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

This content has been archived and is no longer being updated.

Links may not function; however, this content may be relevant to outdated versions of the product.

Using Kerberos credentials in a Pega application to authenticate and access external systems

Updated on April 1, 2020

This content applies only to On-premises and Client-managed cloud environments

Kerberos is a network authentication protocol that secures client-server node communication by using secret-key cryptography. It is used to verify user identity on non-secure networks.

You can use a user's Kerberos credentials to connect to external systems and authenticate with them. For example, you can use the credentials obtained from the User Principal Name to authenticate to an LDAP directory. To use this functionality, you must store the operator Kerberos credentials anywhere on the clipboard on the Pega 7 Platform. However, the ATN logic in the engine code already stores the credentials on the pxRequestor clipboard page, which means that if a requestor contains a User Principal Name object, the Pega 7 Platform automatically stores it on the Requestor (pxRequestor) page in the property reference .pxSessionContext.pxUserPrincipalObject. This property allows the user to use the credential that is associated with this object in their application.

To use a user's Kerberos credentials to connect to an external system, complete the following tasks:

Creating a Kerberos authentication service

Create a special custom authentication service for Kerberos.

  1. Click Designer Studio >Org & Security > Authentication > Create Authentication Service.
  2. In the Type list, select Kerberos.
  3. In the Name field, press the Down Arrow key and select the name of the authentication service from the list KerberosAuth.
  4. Enter a short description of the authentication service.
  5. Click Create and open.
  6. On the Kerberos tab, in the Timeout activity field, press the Down Arrow key and select from the AuthenticationLDAPWebTimeoutlist.
  7. In the Authentication activity field, press the Down Arrow key and select from the pyAuthenticationKerberosCredentials list.

    If you are not using SPNEGO SourceForge, modify this activity code to retrieve GSSCredential from the pxRequestor clipboard page by using the implementation that you chose.

  8. In the JNDI Binding Parameters section, specify the Initial context factory field, for example, com.sun.jndi.ldap.LdapCtxFactory.
  9. Optional: Only if you are using LDAP, in the Directory field, enter the LDAP server information.
    1. In the Search Parameters section, in the User principal name attribute field, enter the LDAP attribute name that is used for the User Principal Name on the LDAP server.
    2. On the Mapping tab, in the Authentication Service rule form, map the .pyOrgUnit, .pyOrganization, .pyOrgDivision, and .pyUserName properties to the related LDAP attributes. The Pega 7 Platform must have corresponding Organization, OrganizationUnit, and OrganizationDivision records.
  10. Click Save.

Authentication with Kerberos credentials

In the KerberosAuth rule form, use the pyAuthenticationKerberosCredentials activity as the authentication activity.

The pyAuthenticationKerberosCredentials activity validates Kerberos credentials and creates an operator instance for a Kerberos user. The activity uses the SPNEGO SourceForge implementation to retrieve the GSSCredential object from the pxRequestor clipboard page that is stored in the .pxSessionContext.pxUserPrincipalObject property. Ituses the GSSCredential for LDAP binding. If you are not using SPNEGO SourceForge, modify this activity to retrieve the GSSCredential by using your Kerberos implementation.

The following example uses Java code reflection to obtain the GSSCredential from the SPNEGO principal:

If you are not using SPNEGO SourceForge, modify the IF block code by using your implementation.

ClipboardPage cp = tools.findPage("pxRequestor", true);


Method m = cp.getObject(".pxSessionContext.pxUserPrincipalObject").getClass().getMethod("getDelegatedCredential", null);

// Get user GSSCredential from pxRequestor page

GSSCredential gsscredential = (GSSCredential)m.invoke(cp.getObject(".pxSessionContext.pxUserPrincipalObject"), null);



oLog.error("pxRequestor page has unsupported SPNEGO principal");


Hashtable props = new Hashtable(11);

props.put(INITIAL_CONTEXT_FACTORY, “com.sun.jndi.ldap.ldapctxfactory”);

props.put(PROVIDER_URL, “ldap://localhost:389”);

props.put(javax.naming.Context.SECURITY_AUTHENTICATION, "GSSAPI");

// use GSSCredential to create LDAP Directory context

props.put(, gsscredential);

DirContext ctx = new InitialDirContext(props);


Pega Platform 7.2.2 Security Communications and Media Consumer Services Financial Services Government Healthcare and Life Sciences Insurance Healthcare and Life Sciences Manufacturing Consumer Services Consumer Services

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us