Experience Center
Configuring Automatic Private Applications Reauthentication
You can enable Zscaler Client Connector to automatically attempt reauthentication for users with Private Applications. Prior to configuring automatic Private Applications reauthentication, you must:
- Configure your IdP for single sign-on (SSO). To learn more, see IdP Configuration Guides.
- Enable Integrated Windows Authentication (IWA).
Enabling IWA
To enable IWA, make sure you are first configured to your organization's IdP. Currently, IWA is supported by the following browsers:
- Internet Explorer 2 and all later versions
- Mozilla Firefox
- Google Chrome 8.0 and all later versions
- Safari, once you have a Kerberos ticket
- Microsoft Edge 77 and all later versions
While IWA works with most browsers, it does not work over some HTTP proxy servers.
To enable IWA on a specific browser, select the browser below to learn more:
- Internet Explorer
To enable IWA using Internet Explorer, use the following steps:
- Click Internet Options in the Tools drop-down menu.
- In the Advanced tab under Security, check the Enable Integrated Windows Authentication* box.
- In the Security tab, click Local Intranet > Sites > Advanced.
- Configure SSO on the IdP, then add the SSO domain.
- Mozilla Firefox
Enabling IWA on Mozilla Firefox depends on your OS.
To enable IWA on Mozilla Firefox using Windows, use the following steps:
- In the browser URL field, enter the text about:config and press enter.
- Click Accept the Risk and Continue.
- In the Search preference name search bar:
- Search for network.negotiate-auth.trusted-uris.
- Click the pencil icon to edit.
- Add the SSO domain.
- Click the white checkmark or press enter.
- In the Search preference name search bar:
- Search for network.automatic-ntlm-auth.trusted-uris.
- Click the pencil icon to edit.
- Add the SSO domain.
- Click the white checkmark or press enter.
To enable IWA on Mozilla Firefox using macOS, use the following steps:
- In the browser URL field, enter the text about:config and press enter.
- Click Accept the Risk and Continue.
- In the Search preference name search bar:
- Search for network.negotiate-auth.delegation-uris.
- Click the pencil icon to edit.
- Add the SSO domain.
- Click the white checkmark or press enter.
- In the Search preference name search bar:
- Search for network.automatic-ntlm-auth.trusted-uris.
- Click the pencil icon to edit.
- Add the SSO domain.
- Click the white checkmark or press enter.
- In the Search preference name search bar:
- Search for network.automatic-ntlm-auth.allow-proxies.
- Click the toggle icon and set this value to true.
- In the Search preference name search bar:
- Search for network.negotiate-auth.allow-proxies.
- Click the toggle icon and set this value to true.
- Google Chrome
For Windows and macOS, IWA is automatically enabled on Chrome, and this function is allowlist-driven. The only way to change the policy is through the Command Prompt (Windows) or Terminal window (macOS). Changing the policy in Google Chrome depends on your OS.
To change the policy in Windows, use the following steps:
- Enter cmd into the search field on your taskbar and launch the Command Prompt.
- Configure the allowlist using the following command-line parameter:
--auth-server-whitelist="https://www.example.com".
Use a comma to separate between multiple domains.
To change the policy in macOS, use the following steps:
- Launch the Terminal application.
- Create a Kerberos ticket for the account using the following command:
kinit username@example.com - Replace
username@example.comwith your actual username and domain. When prompted, enter your password. - Configure the allowlist using the following command-line parameter:
$ defaults write com.google.Chrome AuthServerWhitelist "httpsL//www.example.com, https://www.example2.net, https://www.example3.org".
Use a comma to separate between multiple domains.
Close - Safari
For Macs running OS X, IWA is enabled automatically for Safari.
Close - Microsoft Edge
To enable IWA on Microsoft Edge, use the following steps:
- In the Windows Control Panel, select Network and Internet > Internet Options > Security > Local Intranet > Sites > Advanced.
- In the field under Add this website to the zone, enter the SSO domain.
- Click Add.
Admins use their organization's preferred method to enable IWA for all users. For example, an admin might use Microsoft Group Policy Object (GPO) to enable IWA for all their users. To learn more, see Kerberos Trust Relationship Configuration Guide for Windows Server 2012 & GPO Push.
Configuring Automatic Private Applications Reauthentication
After you've configured your IdP for SSO and enabled IWA, you can now configure automatic Private Applications reauthentication. To configure automatic Private Applications reauthentication:
- In the Admin Portal, go to Infrastructure > Connectors > Client > App Supportability.
- On the App Supportability tab, select the Automatically Attempt ZPA Reauthentication switch.
Successful authentication allows users to continue accessing Private Applications. If unsuccessful, users are prompted to reauthenticate with their credentials using Zscaler Client Connector. To manually reauthenticate in Zscaler Client Connector, the user:
- Clicks Authenticate, and then provides their credentials in the authentication page.
- Clicks Sign In to authenticate.
Automatic Private Applications reauthentication is supported by macOS for Zscaler Client Connector versions 3.0 and above for SSO-based authentication. If Zscaler Client Connector needs any inputs from the end user, then the end user must manually reauthenticate using the steps above.