Mobile SSO for on-premises Active Directory without a cloud broker

Mobile devices can authenticate to on-premises Active Directory without a cloud identity provider in the authentication path. Hypergate Authenticator runs on Android Enterprise and iOS, obtains Kerberos tickets directly from the on-premises Key Distribution Center, and provides single sign-on to Kerberos-authenticated services — without Entra ID, Okta, or any external broker.

Why some organisations cannot use cloud SSO brokers

Sovereignty and classification requirements often prevent the use of a cloud identity provider. Defence, government, and critical infrastructure are commonly required to keep authentication metadata within national or accredited boundaries. Placing a cloud SSO broker in the authentication path may not be permitted under the relevant compliance regime, regardless of where the cloud provider is hosted.

Operational constraints can also rule out cloud brokers. Air-gapped networks, sites without persistent internet connectivity, and environments where a cloud identity provider cannot be a single point of failure all need an authentication model that does not depend on external services. In these environments, mobile devices must authenticate against on-premises infrastructure directly.

How direct on-premises mobile SSO works

Hypergate Authenticator establishes a Kerberos session directly between the mobile device and the on-premises Key Distribution Center. There is no cloud identity provider in the authentication path. The flow is the same as a domain-joined Windows workstation requesting a Kerberos ticket, applied to a managed mobile device.

1. The mobile device receives a client certificate from the EMM, or the user enters Active Directory credentials

2. Hypergate Authenticator contacts the on-premises Key Distribution Center and obtains a Ticket Granting Ticket.

3. When the user opens an intranet site or application requiring Kerberos, Hypergate provides the service ticket via SPNEGO.

4. The on-premises service authenticates the user. No cloud broker is involved at any step.

Sectors where this pattern is standard

Direct on-premises mobile authentication is the standard model in sectors where data sovereignty, regulatory compliance, or operational constraints make cloud identity providers unsuitable. Hypergate is deployed across government and defence agencies, banking and insurance institutions, and law firms — organisations that depend on existing Active Directory infrastructure and require authentication to remain within their own boundaries. The same architecture that supports a domain-joined desktop in these environments now extends to mobile devices.

What you need to deploy this

Direct mobile authentication to on-premises Active Directory has a small, well-defined set of requirements:

• On-premises Active Directory with a reachable Key Distribution Center

• An Enterprise Mobility Management platform such as Microsoft Intune, Workspace ONE, or MobileIron — Hypergate is EMM-agnostic

• A network path from managed devices to the Key Distribution Center, via per-app VPN, EMM tunnel, or internal network connectivity

• Hypergate Authenticator deployed and configured through managed configuration

Frequently asked questions

Can I do mobile SSO to on-premises Active Directory without Entra ID?

Yes. Hypergate Authenticator authenticates managed Android Enterprise and iOS devices directly to on-premises Active Directory using the Kerberos protocol. There is no requirement for Microsoft Entra ID, Microsoft Application Proxy, or any other cloud identity provider. Devices obtain Kerberos tickets from the on-premises Key Distribution Center and use them to access internal services in the same way as a domain-joined Windows workstation.

Is mobile Kerberos SSO possible in an air-gapped network?

Yes. Because Hypergate Authenticator does not depend on any cloud service for authentication, it operates in fully air-gapped environments. Mobile devices need network connectivity to the Key Distribution Center and the internal services they access, but no internet connectivity is required for the authentication itself. This makes Hypergate suitable for classified, isolated, and sovereign network environments.

What are the alternatives to Microsoft Entra Application Proxy for on-premises mobile SSO?

Microsoft Entra Application Proxy uses Kerberos Constrained Delegation to provide single sign-on to on-premises applications, with authentication routed through Microsoft’s cloud identity service. Where this dependency on a cloud broker is not acceptable, Hypergate Authenticator provides direct Kerberos authentication on the mobile device. The mobile device itself becomes a full Active Directory client, removing the need for any cloud component in the authentication path.

How does Hypergate work in a defence or classified environment?

Hypergate Authenticator is deployed in defence, government, and other regulated environments where cloud identity providers cannot be placed in the authentication path. Authentication remains entirely on-premises, within the organisation’s own network and accreditation boundary. The application supports certificate-based authentication for environments using PKI, and integrates with existing Enterprise Mobility Management platforms for managed deployment.