icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Troubleshooting Kerberos Authentication

Kerberos authentication can be affected by some network configuration parameters, such as time synchronization. This article provides guidelines for troubleshooting Kerberos on your domain controller and on your users' devices.

There are four major components involved with Kerberos authentication:

  • Your Zscaler cloud, which includes the Kerberos server (KDC), the Zscaler Central Authority (CA), and the ZIA Public Service Edge. (See What is my cloud name for ZIA?)
  • Your domain controller, which includes a KDC configured to do cross-real authentication.
  • Your users' devices, which are joined to your domain and have obtained cross-real settings from the domain controller through GPO.
  • A network infrastructure which connects all three of the above components, includes switches, routers, firewalls, etc.

Zscaler recommends that you first troubleshoot Kerberos on your domain controller.

To learn more about using Kerberos for your organization, see About Kerberos Authentication.

Troubleshooting on the Domain Controller

Before troubleshooting, ensure that the administrator has been provisioned on the Zscaler service as a user so that Kerberos authentication doesn't fail.

To troubleshoot on your domain controller:

  1. Log in to your domain controller.
  2. Ensure that your domain controller has the correct time and date, because the Kerberos protocol uses timestamps. If the time and date settings on your domain controller differ from the Zscaler KDC by more than five minutes, authentication will fail.
  3. Configure the browser to use Zscaler cloud on port 8800, the default Kerberos authentication port on ZIA Public Service Edges. Internet Explorer and Mozilla Firefox browsers support Kerberos authentication by default.
  4. Open https://www.zscaler.com/. If the page is rendered properly, then the cross-realm settings are configured properly, and you can skip the next step and go to step 6.
  5. If the cross-realm settings are configured incorrectly, then the ZIA Public Service Edge displays a page with an error code. For more information about the error codes, see ZIA Public Service Edge Error Codes for Kerberos.
  6. Open Microsoft PowerShell and run the command klist purge to clear the Kerberos ticket cache.
  7. After clearing the Kerberos ticket cache, open https://www.zscaler.com/.
  8. In Windows PowerShell, run the command klist. If the following three Kerberos ticket-granting tickets (krbtgt) are not displayed when you run klist, then there is an issue with the server of that ticket.
    • Zscaler KDC krbtgt ticket: The user device obtains this ticket from your organization's domain controller. This ticket grants access to the Zscaler KDC. If this ticket is not displayed, then the configuration on your KDC may be incorrect. Please configure your KDC again.
    • Your company's KDC krbtgt ticket: The user device obtains this ticket from your organization's domain controller. This ticket grants access to that domain controller. If this ticket is not displayed, then your company's internal KDC is not issuing Zscaler KDC tickets. Please contact your company's IT support.
    • ZIA Public Service Edge krbtgt ticket: The user device obtains this ticket from the Zscaler KDC. This ticket grants access to the ZIA Public Service Edge. If this ticket is not displayed, then the ZIA Public Service Edge is not issuing tickets. Please contact Zscaler Support.
  9. In Windows PowerShell, run the command nltest /domain_trusts. The Zscaler domain must be in the domain trusts list as an inbound trust.

Your Zscaler domain name is the same as your Zscaler cloud name. In this example, it is ZSCALERTWO.NET. To learn how you can find your cloud name, see What is my cloud name for ZIA?

If you do not see the Zscaler domain in the domain trusts list, you must add it as a trusted domain. See 1. Create the New Trust in Kerberos Trust Relationship Configuration Guide for Windows Server 2012 and GPO Push.

  1. If the Zscaler KDC domain is registered correctly, you run the command ping kerberos.<Zscaler Cloud> in Windows PowerShell. The IP address displayed must be the Zscaler CA's IP address.

If the Zscaler KDC domain has been configured incorrectly, reconfigure the KDC. For instructions, see Kerberos Trust Relationship Configuration Guide for Windows Server 2012 and GPO Push.

  1. To check cross-realm configuration:
    1. Log in to the Windows server as administrator. Open the Server Manager and go to DNS. From the Tools menu, choose Active Directory Domains and Trusts.
    2. Right-click on your domain and select Properties. In the Properties window, go to the Trusts tab.
    3. Select the Zscaler domain, and then click Properties.

If the Zscaler domain is not displayed, you must add the Zscaler domain as a trusted domain. See 1. Create the New Trust in Kerberos Trust Relationship Configuration Guide for Windows Server 2012 and GPO Push.

  1. Ensure that the option The other domain support Kerberos AES Encryption is enabled.

There is no way to check the cross-realm password of an added trust. You must delete the domain trust and re-add the trust with the correct password.

  1. To validate the GPO configuration:
    1. Open Windows PowerShell and enter the following command to list the GPO registry value for the Zscaler KDC:
get-gpregistryvalue -key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\MitRealms" -name "Default Domain Policy"
  1. Verify the following values:
    • ValueName: <Zscaler Cloud>. In this example, the value is ZSCALERTWO.NET
    • Value: <k>kerberos.<Zscaler Cloud></k>. In this example, the value is <k>kerberos.zscalertwo.net</k>.
  2. Enter the following command to list the GPO registry value for the Zscaler domain:
get-gpregistryvalue -key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\domain_realm" -name "Default Domain Policy"
  1. Verify the following values:
    • ValueName: <Zscaler Cloud>. In this example, the value is ZSCALERTWO.NET.
    • Value: .<Zscaler Cloud>; .gateway.<Zscaler Cloud>. In this example, the value is .zscalertwo.net; .gateway.zscalertwo.net.

If the correct values are not displayed, verify your configuration. For instructions, see Kerberos Trust Relationship Configuration Guide for Windows Server 2012 and GPO Push.

Troubleshooting on User Devices

It is possible for Kerberos authentication to work on the domain controller, but to not work on a user's device. In this case, there may be an error with the GPO settings. You must check if GPO settings have been propagated from the domain controller to users. See 4. Configure GPO to Push the Configuration to Users in Kerberos Trust Relationship Configuration Guide for Windows Server 2012 and GPO Push.

After configuring GPO to push the cross-realm trust to your users, complete step 6 of this article on your user's device to check for the cached Kerberos tickets. Then, complete the rest of the steps to finish troubleshooting on your user's device.

Related Articles
About Kerberos AuthenticationKerberos Authentication Deployment GuidelinesDeploying Kerberos AuthenticationKerberos Trust Relationship Configuration Guide for Windows Server & GPO PushKerberos Trust Relationship Configuration Guide for Linux ServerUsing the Default Zscaler Kerberos PAC FileTroubleshooting Kerberos AuthenticationZIA Error Codes for Kerberos Authentication