icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Kerberos Trust Relationship Configuration Guide for Windows Server & GPO Push

This configuration guide illustrates how to establish a one-way cross-realm trust from your organization's server to the Zscaler service. This one-way trust enables Zscaler to trust the authenticated users of the domain and NOT the reverse. Administrator access to the domain controller is required to establish a cross-realm trust and to use GPO to push configuration settings. To learn more about Kerberos, see About Kerberos Authentication. To learn more about deploying Kerberos, see Deploying Kerberos Authentication.

In this guide:

  • The KDC in the organization's realm is Windows Server configured as a Domain Controller
  • The Windows client is running Windows 8.1 and is joined to the domain
  • The domain user, Jane Doe, can log in to the Windows client using domain credentials
  • The Zscaler domain is the Zscaler cloud name. In this example, it is ZSCALERBETA.NET. To learn how you can find your cloud name, see What is my cloud name for ZIA?

Kerberos Trust Relationship Configuration Guide Diagram

Configure the Cross-Realm Trust on Windows Server

This section describes how to configure the KDC and the Active Directory GPO feature on a Windows Server. For information on Active Directory GPO and GPMC, refer to the Windows Active Directory and GPMC documentation.

To configure the cross-realm trust on Windows Server:

  • Log in to the Windows server as administrator. Open the Server Manager and do the following:

    1. Go to DNS and from the Tools menu, choose Active Directory Domains and Trusts.
    2. In the Active Directory Domains and Trusts window, hover over your domain, right-click and select Properties.
    3. In the Properties window, go to the Trusts tab and click New Trust.
    4. When the New Trust wizard appears, click Next.
    5. For Trust Name, enter the Zscaler cloud name in uppercase letters and click Next.
      You can find your cloud name by looking at the URL you use to log in to the ZIA Admin Portal. For example, if you log in to https://admin.zscalerbeta.net/, your cloud name is ZSCALERBETA.NET as shown in the following image.
    6. For Trust Type, select Realm trust and click Next.
    7. For Transitivity of Trust, select Nontransitive and click Next.
    8. For Direction of Trust, select One-way: incoming and click Next.
    9. For Trust Password, paste the password that you copied from Zscaler.
    10. When the Wizard displays your settings, verify them and click Next.
    Close
  • Configure the properties of the newly configured trust.

    1. Open the Properties window of your domain.
    2. In the Properties windows, select the following and click OK:
      • The other domain supports Kerberos AES Encryption.
      • Non-transitive: only users from the directly trusted domain may authenticate in the trusting domain.
    Close
  • Ensure that your configuration is correct before you proceed to the next step.

    1. On the Windows server, open the Windows PowerShell and enter the following command. Replace Zscaler Cloud with the name of the Zscaler cloud that you use.
    Get-ADObject -Filter {trustPartner -eq "Zscaler Cloud"} -Properties *
    1. Ensure that the following values are displayed:
      • CN: Zscaler cloud name (In this example, it is ZSCALERBETA.NET).
      • msDS-SupportedEncryptionTypes: 24
      • Name: Zscaler cloud name (In this example, it is ZSCALERBETA.NET).
      • objectClass: trustedDomain
      • trustAttributes: 1
      • trustDirection: 1
      • trustPartner: Zscaler cloud name (In this example, it is ZSCALERBETA.NET).
      • trustType: 3
    Close
  • On the Windows server, open the Server Manager and do the following:

    1. Go to the Dashboard, and from the Tools menu, select Group Policy Management.
    2. Go to Group Policy Management > Forest > Domains > Domain Name > Default Domain Policy, right-click and select Edit.
    3. On the Group Policy Management Editor, go to Computer Configuration > Policies > Administrative Templates > System > Kerberos and from the Settings panel, select Define Interoperable Kerberos V5 realm settings.
    4. In the Define interoperable Kerberos V5 realm settings window, select Enabled and click Show....
    5. In the Show Contents window:
      • Value name: Enter the Zscaler cloud name (In this example, it is ZSCALERBETA.NET).
      • Value: Enter <k>kerberos.Zscaler Cloud</k>. In this example, the value is <k>kerberos.zscalerbeta.net</k>.

    1. Click OK, and then click OK in the Define interoperable Kerberos V5 realm settings window.
    2. Select Define host name-to-Kerberos realm mappings.
    3. In the Define host name-to-Kerberos realm mappings window, select Enabled and click Show....
    4. In the Show Contents window:
      • Value name: Enter the Zscaler cloud name. In this example, it is ZSCALERBETA.NET.
      • Value: Enter the Zscaler domain names. In this example, it is .zscalerbeta.net; .gateway.zscalerbeta.net.

    Both the domain names must have leading dots to match all subdomains.

    1. Click OK, click OK in the Define host name-to-Kerberos realm mappings window, and close the Group Policy Management Editor.
    2. Go to Group Policy Management > Default Domain Policy and click the Settings tab.
    3. Expand Computer Configuration > Administrative Templates > System/Kerberos and verify each policy.
    4. Scroll to the next policy.
    Close
  • To validate the GPO configuration:

    1. Open the Windows PowerShell and enter the following command to list the GPO registry value for the Zscaler KDC:
    get-gpregistryvalue -key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\MitRealms" -name "Default Domain Policy"
    1. Verify the following values:
    2. Enter the following command to list the GPO registry value for the Zscaler domain:
    get-gpregistryvalue -key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\domain_realm" -name "Default Domain Policy"
    1. Verify the following values:
      • ValueName: ZSCALERBETA.NET
      • Value: .zscalerbeta.net; .gateway.zscalerbeta.net
    Close
  • Log in to the Windows workstation, open the command prompt, and run the following commands:

    klist ensures that you are logged in to the domain and can contact the domain controller. It displays the Kerberos tickets that were used by the workstation to log in to the domain. If, when you run klist, the Kerberos tickets are not displayed, then there is an inherent domain or workstation configuration issue that must be resolved before you proceed.

    Screenshot of the the klist command and response in Command Prompt

    gpupdate /force

    Screenshot of the gpupdate /force command and response in Command Prompt

    You can verify that the Zscaler Kerberos settings have been synchronized to the client and that the registry was updated by doing one of the following:

    • Run the following queries in the Windows command prompt or the Windows Powershell:
    reg query 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\domain_realm

    Screenshot running the domain_realm query in Command Prompt

    reg query
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\MitRealms

    Screenshot running a query in Command Prompt

    OR

    • Open the Registry editor and verify the domain_realm entries, as shown next.

    Screenshot of the domain_realm entries in the Registry Editor window

    Verify the MitRealms entries as shown next.

    Screenshot of the MitRealms entries in the Registry Editor window

    Ensure that the browser is configured with the Kerberos PAC file URL.

    Screenshot of the Local Area Network (LAN) Settings window

    Open the browser and browse to a site to ensure that you are not challenged for authentication or that the browser displays an “Internet Access Denied” error page.

    Close

Troubleshooting

To troubleshoot your Kerberos configuration, see Troubleshooting Kerberos and ZIA Public Service Edge Error Codes for Kerberos.

The following are some helpful Microsoft documents:

Screenshot of the Define host name-to-Kerberos realm mappings setting in the Group Policy Management Editor window

Screenshot of the Define interoperable Kerberos V5 realm settings policy under System/Kerberos

Related Articles
About Kerberos AuthenticationKerberos Authentication Deployment GuidelinesDeploying Kerberos AuthenticationKerberos Trust Relationship Configuration Guide for Windows Server & GPO PushKerberos Trust Relationship Configuration Guide for Linux ServerUsing the Default Zscaler Kerberos PAC FileTroubleshooting Kerberos AuthenticationZIA Error Codes for Kerberos Authentication