Knox Workspace

[Summary]

Samsung SSO Authenticator for Kerberos is returning error code: -1765328230, KDC (Kerberos Key Distribution Center) not found.

[Cause]

Using Kerberos SSO requires the mobile device to be connected to the same network as your Active Directory (AD) server. Usually to meet this requirement, a VPN has to be used.  If there is no direct connection to the AD server, the SSO service will not work. This is because Kerberos is using port 88, which is blocked in some public networks, to perform authentication.

[Resolution]

Use a VPN, or set Kerberos Key Distribution Center (KDC) proxy to use port 443 instead of 88. The port 443 is opened on public networks, so VPN is not needed.

 

Windows Server 2012 is needed for the KDC proxy. There are two possible configurations:
#1. Both AD and KDC proxy are running on one machine with Windows Server 2012
#2. AD is running on one machine (Windows Server may be older than 2012) and the KDC proxy is running on the second machine with Windows Server 2012

Once the KDC Proxy is set, the Authenticator on the device has to be configured.
There are two ways to configure Authenticator:
#1. Provide config file via EMM application
#2. Side load from internal storage on device

When the AD IT Admin sets the KDC proxy, he should have a URL such as:
 
HTTPS://KDCproxy.mycompany.com

The krb5.conf file should have the following line defined:

KDC_PROXY=HTTPS://KDC proxy.mycompany.com 

This config file should be distributed to devices. When the SSO app will try to obtain a Token, the Authenticator application will be opened. There is a 'View more' button at the bottom which allows viewing additional settings. 

 

You should use 'Location of krb5.conf' field to put the path to the file manually or push small directory icon on the right of the screen and pick config file from the file explorer.