Kerberos Deployment Guidelines

Before you deploy Kerberos, take note of the following guidelines:

  • To enforce Kerberos authentication, your organization must send its traffic to port 80, 443 or 8800. Following are some guidelines about these ports:
    • The Zscaler service enforces Kerberos on all explicitly forwarded traffic it receives on port 8800, unless the location does not have authentication enabled. The SSL inspection settings and other settings are inherited from the location. If Kerberos is not enabled for a location, but you would like some users from that location to use Kerberos, you can send their traffic to port 8800 as well. Ensure also that road warriors send their traffic to port 8800. (Note that the service does not perform SSL inspection on this traffic.)
    • Enabling Kerberos on a location enforces Kerberos authentication on all traffic that is explicitly forwarded to the service from that location and its dedicated proxy ports. Therefore, when Kerberos is enabled on a location, you can forward traffic to port 80 or 443, and the service will still enforce Kerberos authentication.
  • Authentication must be enabled on a location that deploys Kerberos authentication for some or all its users.

See Kerberos Requirements for tasks you must complete before deploying Kerberos.

See below to learn about the different ways that Kerberos authentication can be deployed.

IMPORTANT: The service supports Kerberos authentication only on traffic that is forwarded to the service in explicit mode. It does not support Kerberos authentication on traffic forwarded to the service in purely transparent mode (traffic forwarded through a GRE or IPsec tunnel and the browser is not configured to use a PAC file to forward traffic), regardless of the location settings or destination port.

Deployment Options

Kerberos can be used by itself or combined with other authentication mechanisms, depending on your business requirements. Following are some typical deployment scenarios and guidelines:

All users in a location use Kerberos authentication.

You can enable Kerberos for a location, requiring all its users to authenticate via Kerberos. Do the following to deploy Kerberos for all users in a location:

  • Provision the users on the Zscaler service.
  • Configure Kerberos and enable it for the location. (See How do I deploy Kerberos?)
    When you enable Kerberos on a location, the service automatically uses Kerberos to authenticate users from that location.
  • Distribute the default Kerberos PAC file URL to all users in the location. 
    The default Kerberos PAC file forwards traffic to port 8800, the default Kerberos port on ZENs. Because Kerberos is enabled for the location, there is no need to send the traffic to port 8800. However, if you want to send the traffic to port 80 instead of port 8800, due to firewall constraints, copy the default Kerberos PAC file and replace the variables ${GATEWAY_HOST}:8800 with ${GATEWAY_HOST}:80 and ${SECONDARY_GATEWAY_HOST}:8800 with ${SECONDARY_GATEWAY_HOST}:80. Or, if your organization subscribes to a dedicated proxy port, specify that port instead. (See How do I use the Zscaler Kerberos default PAC file?)

The location has a primary authentication mechanism, such as LDAP or SAML, and only some users use Kerberos for authentication.

To enable some users in a location to authenticate via Kerberos, distribute the default Kerberos PAC file URL to those users.
Do the following to deploy Kerberos for specific users:

Road warriors use Kerberos for authentication.

Ensure that road warriors have the requirements described below.

  • Road warriors must use DirectAccess to connect to the KDC Proxy.

    NOTE:
    • DirectAccess is supported on Windows 7 Enterprise, Windows 7 Ultimate, and Windows 8 Enterprise editions only. Windows 7 Professional and Windows 8 Professional do not support DirectAccess. There are no native clients for OS X and Linux.There are no native clients for OS X and Linux.
    • Road warrior access without DirectAcess may work for other VPN solutions.
  • Edit the default Kerberos PAC file and distribute its URL to the road warriors.
    Copy the default Kerberos PAC file and add a bypass for the KDC Proxy hostname. Retain the default destination port, port 8800, to ensure that road warrior traffic is sent to that port on the ZEN.
    If you want to send road warrior traffic to a dedicated proxy port to enable the service to apply customized SSL settings, do the following: 
    • In the PAC file, specify the dedicated proxy port as the destination port.
    • Ensure that Kerberos is enabled on the location associated with the dedicated proxy port.