You receive the error "The call to Kerberos 5 failed" when trying to join an Edge SWG (ProxySG) appliance to the domain during IWA-Direct authentication configuration.

The issue is caused by one of the following:

1. Join credentials contain complex or Cyrillic characters. 
2. You previously joined the domain, left the domain, and are trying to join again using the Join option (not Rejoin).
3. DNS cannot resolve resolve _kerberos-master._tcp.domain.com.
4. Old DNS records exist, causing the Kerberos KDC name to be resolved incorrectly.

Perform the appropriate step to resolve the issue.

1. Simplify the password. Although complex passwords are supported, Kerberos might not be able to decrypt them if the contain non-UTF8 characters.
2. Delete the machine account from Active Directory and click Join again.
3. Force the DNS server to resolve _kerberos-master._tcp.domain.com  to a good Kerberos master domain for TCP communication.
4. Remove the incorrect DNS record.