About Kerberos Authentication

Zscaler supports authentication using Kerberos, an industry standard secure protocol. Unlike the other supported authentication mechanisms, Kerberos does not use cookies for authentication. It is a ticket-based authentication protocol that is widely used to authenticate users to network services. For more information about the Kerberos protocol, refer to RFC 4120, The Kerberos Network Authentication Service.


Using Kerberos to authenticate users provides the following benefits:

  • It enables the Zscaler service to authenticate users when they use applications that do not support cookies, such as Office 365 and Windows Metro apps.
  • It enables transparent Single Sign-On (SSO) authentication for users. Users authenticate themselves once, when they log in to their corporate domain. They do not need to explicitly authenticate to the Zscaler service, because authentication occurs transparently with Kerberos, as explained in How does Zscaler Kerberos authentication work?
  • The service can enforce granular user, group and department policies on proxied FTP transactions as well as HTTPS transactions, without having to decrypt the HTTPS transactions.
  • Your organization does not need to configure its firewall to allow incoming connections from the Zscaler Enforcement Nodes (ZENs).
  • Kerberos is a secure, open standard protocol that most operating systems support, including Windows 7, Windows 8, OS X, Linux, and FreeBSD. Additionally, most browsers support Kerberos authentication, including Internet Explorer, Firefox and Safari.


The Zscaler Kerberos implementation provides the following features:

  • It is simple to configure and manage. Your organization and the Zscaler service establish a one- way trust that is based on a shared password, eliminating the need to upload and manage keytab files or to join the ZENs to your domain. See How does Zscaler Kerberos authentication work?
  • It offers various deployment options. You organization can use Kerberos as its sole authentication method or combine it with another method, such as SAML or LDAP. See Deployment Options in Kerberos Deployment Guidelines.
  • It can be used to authenticate road warriors as well. (DirectAcces is required. See Deployment Options in Kerberos Deployment Guidelines.)


Kerberos authentication currently has the following limitation:

  • The Zscaler service does not support Kerberos on Windows XP, Apple iOS or Android devices.

To learn more about how Zscaler implements Kerberos, see the following articles:

Before deploying Kerberos, see Kerberos Deployment Guidelines and Kerberos Requirements.

For step-by-step instructions for deploying Kerberos, see How do I deploy Kerberos?