Secure Internet and SaaS Access (ZIA)
Kerberos Trust Relationship Configuration Guide for Windows Server & GPO Push
This configuration guide illustrates how to establish a one-way cross-realm trust from your organization's server to the Zscaler service. This one-way trust enables Zscaler to trust the authenticated users of the domain and NOT the reverse. Administrator access to the domain controller is required to establish a cross-realm trust and to use GPO to push configuration settings. To learn more about Kerberos, see About Kerberos Authentication. To learn more about deploying Kerberos, see Deploying Kerberos Authentication.
In this guide:
- The KDC in the organization's realm is Windows Server configured as a Domain Controller
- The Windows client is running Windows 8.1 and is joined to the domain
- The domain user, Jane Doe, can log in to the Windows client using domain credentials
- The Zscaler domain is the Zscaler cloud name. In this example, it is ZSCALERBETA.NET. To learn how you can find your cloud name, see What is my cloud name for ZIA?
Configure the Cross-Realm Trust on Windows Server
This section describes how to configure the KDC and the Active Directory GPO feature on a Windows Server. For information on Active Directory GPO and GPMC, refer to the Windows Active Directory and GPMC documentation.
To configure the cross-realm trust on Windows Server:
- 1. Create the New Trust
Log in to the Windows server as administrator. Open the Server Manager and do the following:
- Go to DNS and from the Tools menu, choose Active Directory Domains and Trusts.
See image. - In the Active Directory Domains and Trusts window, hover over your domain, right-click and select Properties.
See image. - In the Properties window, go to the Trusts tab and click New Trust.
See image. - When the New Trust wizard appears, click Next.
- For Trust Name, enter the Zscaler cloud name in uppercase letters and click Next.
You can find your cloud name by looking at the URL you use to log in to the ZIA Admin Portal. For example, if you log in to https://admin.zscalerbeta.net/, your cloud name is ZSCALERBETA.NET as shown in the following image.
See image. - For Trust Type, select Realm trust and click Next.
See image. - For Transitivity of Trust, select Nontransitive and click Next.
See image. - For Direction of Trust, select One-way: incoming and click Next.
See image. - For Trust Password, paste the password that you copied from Zscaler.
See image. - When the Wizard displays your settings, verify them and click Next.
See image.
- Go to DNS and from the Tools menu, choose Active Directory Domains and Trusts.
- 2. Configure the Trust Properties
Configure the properties of the newly configured trust.
- Open the Properties window of your domain.
See image. - In the Properties windows, select the following and click OK:
- The other domain supports Kerberos AES Encryption.
- Non-transitive: only users from the directly trusted domain may authenticate in the trusting domain.
See image.
- Open the Properties window of your domain.
- 3. Validate the Settings
Ensure that your configuration is correct before you proceed to the next step.
- On the Windows server, open the Windows PowerShell and enter the following command. Replace
Zscaler Cloudwith the name of the Zscaler cloud that you use.
Get-ADObject -Filter {trustPartner -eq "Zscaler Cloud"} -Properties *- Ensure that the following values are displayed:
- CN: Zscaler cloud name (In this example, it is ZSCALERBETA.NET).
- msDS-SupportedEncryptionTypes: 24
- Name: Zscaler cloud name (In this example, it is ZSCALERBETA.NET).
- objectClass: trustedDomain
- trustAttributes: 1
- trustDirection: 1
- trustPartner: Zscaler cloud name (In this example, it is ZSCALERBETA.NET).
- trustType: 3
See image.
- On the Windows server, open the Windows PowerShell and enter the following command. Replace
- 4. Configure GPO to Push the Configuration to Users
On the Windows server, open the Server Manager and do the following:
- Go to the Dashboard, and from the Tools menu, select Group Policy Management.
See image. - Go to Group Policy Management > Forest > Domains > Domain Name > Default Domain Policy, right-click and select Edit.
See image. - On the Group Policy Management Editor, go to Computer Configuration > Policies > Administrative Templates > System > Kerberos and from the Settings panel, select Define Interoperable Kerberos V5 realm settings.
See image. - In the Define interoperable Kerberos V5 realm settings window, select Enabled and click Show....
See image. - In the Show Contents window:
- Value name: Enter the Zscaler cloud name (In this example, it is ZSCALERBETA.NET).
- Value: Enter
<k>kerberos.Zscaler Cloud</k>. In this example, the value is<k>kerberos.zscalerbeta.net</k>.
- Click OK, and then click OK in the Define interoperable Kerberos V5 realm settings window.
- Select Define host name-to-Kerberos realm mappings.
See image. - In the Define host name-to-Kerberos realm mappings window, select Enabled and click Show....
See image. - In the Show Contents window:
- Value name: Enter the Zscaler cloud name. In this example, it is ZSCALERBETA.NET.
- Value: Enter the Zscaler domain names. In this example, it is .zscalerbeta.net; .gateway.zscalerbeta.net.
Both the domain names must have leading dots to match all subdomains.
- Click OK, click OK in the Define host name-to-Kerberos realm mappings window, and close the Group Policy Management Editor.
- Go to Group Policy Management > Default Domain Policy and click the Settings tab.
See image. - Expand Computer Configuration > Administrative Templates > System/Kerberos and verify each policy.
- Scroll to the next policy.
- Go to the Dashboard, and from the Tools menu, select Group Policy Management.
- 5. Validate the GPO Configuration
To validate the GPO configuration:
- Open the Windows PowerShell and enter the following command to list the GPO registry value for the Zscaler KDC:
get-gpregistryvalue -key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\MitRealms" -name "Default Domain Policy"
- Verify the following values:
- ValueName: ZSCALERBETA.NET
- Value: kerberos.zscalerbeta.net
See image.
- Enter the following command to list the GPO registry value for the Zscaler domain:
get-gpregistryvalue -key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\domain_realm" -name "Default Domain Policy"
- Verify the following values:
- ValueName: ZSCALERBETA.NET
- Value: .zscalerbeta.net; .gateway.zscalerbeta.net
See image.
- 6. Configure the Windows Workstation
Log in to the Windows workstation, open the command prompt, and run the following commands:
klist ensures that you are logged in to the domain and can contact the domain controller. It displays the Kerberos tickets that were used by the workstation to log in to the domain. If, when you run klist, the Kerberos tickets are not displayed, then there is an inherent domain or workstation configuration issue that must be resolved before you proceed.
gpupdate /force
You can verify that the Zscaler Kerberos settings have been synchronized to the client and that the registry was updated by doing one of the following:
- Run the following queries in the Windows command prompt or the Windows Powershell:
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\domain_realm
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\MitRealms
OR
- Open the Registry editor and verify the domain_realm entries, as shown next.
Verify the MitRealms entries as shown next.
Ensure that the browser is configured with the Kerberos PAC file URL.
_settings_window.png "Local Area Network (LAN) Settings window")
Open the browser and browse to a site to ensure that you are not challenged for authentication or that the browser displays an “Internet Access Denied” error page.
Close
Troubleshooting
To troubleshoot your Kerberos configuration, see Troubleshooting Kerberos and ZIA Public Service Edge Error Codes for Kerberos.
The following are some helpful Microsoft documents: