- Basics
- The Knox Ecosystem
- White Paper
- Samsung Knox Portal
- Knox Cloud Services
- General Knox Support
- Knox Licenses
- For IT admins
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Device management
- Accept or reject devices
- Upload devices
- Delete devices
- Complete device management
- Send notifications
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQ
- KBAs
- Support
- Samsung Care+ for Business
- For Knox Partners
- Knox Deployment Program
- Knox MSP Program
[Environment]
Knox Workspace
[Summary]
[Summary]
Samsung SSO Authenticator for Kerberos is returning error code: -1765328230, KDC (Kerberos Key Distribution Center) not found.
[Cause]
[Cause]
Using Kerberos SSO requires the mobile device to be connected to the same network as your Active Directory (AD) server. Usually to meet this requirement, a VPN has to be used. If there is no direct connection to the AD server, the SSO service will not work. This is because Kerberos is using port 88, which is blocked in some public networks, to perform authentication.
[Resolution]
[Resolution]
Use a VPN, or set Kerberos Key Distribution Center (KDC) proxy to use port 443 instead of 88. The port 443 is opened on public networks, so VPN is not needed.
Windows Server 2012 is needed for the KDC proxy. There are two possible configurations:
#1. Both AD and KDC proxy are running on one machine with Windows Server 2012
#2. AD is running on one machine (Windows Server may be older than 2012) and the KDC proxy is running on the second machine with Windows Server 2012
Once the KDC Proxy is set, the Authenticator on the device has to be configured.
There are two ways to configure Authenticator:
#1. Provide config file via EMM application
#2. Side load from internal storage on device
When the AD IT Admin sets the KDC proxy, he should have a URL such as:
HTTPS://KDCproxy.mycompany.com
The krb5.conf file should have the following line defined:
KDC_PROXY=HTTPS://KDC proxy.mycompany.com
This config file should be distributed to devices. When the SSO app will try to obtain a Token, the Authenticator application will be opened. There is a 'View more' button at the bottom which allows viewing additional settings.
#1. Both AD and KDC proxy are running on one machine with Windows Server 2012
#2. AD is running on one machine (Windows Server may be older than 2012) and the KDC proxy is running on the second machine with Windows Server 2012
Once the KDC Proxy is set, the Authenticator on the device has to be configured.
There are two ways to configure Authenticator:
#1. Provide config file via EMM application
#2. Side load from internal storage on device
When the AD IT Admin sets the KDC proxy, he should have a URL such as:
HTTPS://KDCproxy.mycompany.com
The krb5.conf file should have the following line defined:
KDC_PROXY=HTTPS://KDC proxy.mycompany.com
This config file should be distributed to devices. When the SSO app will try to obtain a Token, the Authenticator application will be opened. There is a 'View more' button at the bottom which allows viewing additional settings.
You should use 'Location of krb5.conf' field to put the path to the file manually or push small directory icon on the right of the screen and pick config file from the file explorer.
