The Zscaler service uses Kerberos cross-realm authentication, enabling clients from your organization’s domain to authenticate themselves to the Zscaler Enforcement Nodes (ZENs) in the Zscaler domain. Your organization and the Zscaler domain establish a one-way trust relationship based on a shared password, eliminating the need to upload and manage keytab files or to join the ZENs to your domain.
For an overview of Kerberos authentication, see About Kerberos Authentication.
The following diagram shows a simplified view of the authentication process after the trust relationship is established. Note the following:
If the ZEN does not find a Zscaler cookie for the domain in the HTTP request, it issues a 407 Negotiate challenge.
The domain controller issues a cross-realm ticket.
The ZEN decrypts the ticket and after verifying the user name, sends the request to the web site.
As shown in the diagram, users authenticate themselves only once when they log in to the corporate domain. They do not need to log in separately to the Zscaler service. Additionally, the Zscaler service is able to identify users through the proxy authorization header. This allows the service to then apply user, group and department policies on FTP transactions and on HTTPS transactions without decrypting them.
To learn more about how Zscaler implements Kerberos, see the following articles:
For step-by-step instructions for deploying Kerberos, see How do I deploy Kerberos?