#1. Both AD and KDC proxy are running on one machine with Windows Server 2012
#2. AD is running on one machine (Windows Server may be older than 2012) and the KDC proxy is running on the second machine with Windows Server 2012
Once the KDC Proxy is set, the Authenticator on the device has to be configured.
There are two ways to configure Authenticator:
#1. Provide config file via EMM application
#2. Side load from internal storage on device
When the AD IT Admin sets the KDC proxy, he should have a URL such as:
The krb5.conf file should have the following line defined:
This config file should be distributed to devices. When the SSO app will try to obtain a Token, the Authenticator application will be opened. There is a 'View more' button at the bottom which allows viewing additional settings.