icon-zapp.svg
Client Connector

Configuring Automatic ZPA Reauthentication

You can enable Zscaler Client Connector to automatically attempt reauthentication for users with Zscaler Private Access (ZPA). This article describes how to configure automatic ZPA reauthentication.

This feature is only available for Zscaler Client Connector version 3.0 and later for Windows and macOS.

Prior to configuring automatic ZPA reauthentication, you must:

  1. Configure your IdP for single sign-on (SSO).
  2. Enable Integrated Windows Authentication (IWA).

Enabling IWA

After you configure your organization's IdP, you can enable IWA on the following browsers. Select a browser to learn more.

While IWA works with most browsers, it does not work over some HTTP proxy servers.

  • To enable IWA using Internet Explorer:

    1. Select Internet options in the Tools drop-down menu.

    1. On the Advanced tab under Security, select Enable Integrated Windows Authentication*.

    1. On the Security tab, click Local intranet > Sites > Advanced.

    1. Add the SSO domain.
    2. Click Close.

    Close

  • Enabling IWA on Mozilla Firefox depends on your OS.

    To enable IWA on Mozilla Firefox for Windows:

    1. Start about:config:
      1. In the URL field, enter about:config and press Enter.
      2. Click Accept the Risk and Continue.
    2. Configure network.negotiate-auth.trusted-uris:
      1. In the Search preference name field, enter negotiate.
      2. Click the Edit icon for network.negotiate-auth.trusted-uris.
      3. Add the SSO domain.
      4. Press Enter or click the checkmark.

    1. Configure network.automatic-ntlm-auth.trusted-uris:
      1. In the Search preference name field, enter automatic.
      2. Click the Edit icon for network.automatic-ntlm-auth.trusted-uris.
      3. Add the SSO domain.
      4. Press Enter or click the checkmark.

    To enable IWA on Mozilla Firefox for macOS:

    1. Start about:config:
      1. In the URL field, enter about:config and press Enter.
      2. Click Accept the Risk and Continue.
    2. Configure network.negotiate-auth.delegation-uris:
      1. In the Search preference name field, enter negotiate.
      2. Click the Edit icon for network.negotiate-auth.delegation-uris.
      3. Add the SSO domain.
      4. Press Enter or click the checkmark.

    1. Configure network.automatic-ntlm-auth.trusted-uris:
      1. In the Search preference name field, enter automatic.
      2. Click the Edit icon for network.automatic-ntlm-auth.trusted-uris.
      3. Add the SSO domain.
      4. Press Enter or click the checkmark.

    1. Configure network.automatic-ntlm-auth.allow-proxies:
      1. In the Search preference name field, enter automatic.
      2. Click the gray toggle for network.automatic-ntlm-auth.allow-proxies to set this value to true.

    1. Configure network.negotiate-auth.allow-proxies
      1. In the Search preference name field, enter negotiate.
      2. Click the gray toggle for network.negotiate-auth.allow-proxies to set this value to true.

    Close

  • For Windows and macOS, IWA is automatically enabled on Google Chrome and this function is allowlist-driven. The only way to change the policy is through the command prompt (Windows) or terminal window (macOS).

    To change the policy in Windows:

    1. Enter cmd into the search field on your taskbar to start the command prompt.
    2. Configure the allowlist using the following command-line parameter:

    --auth-server-whitelist="https://www.example.com".

    Use a comma to separate between multiple domains.

    To change the policy in macOS:

    1. Start the terminal application.
    2. Create a Kerberos ticket for the account using the following command: kinit username@example.com.
    3. Replace username@example.com with your username and domain. When prompted, enter your password.
    4. Configure the allowlist using the following command-line parameter:
      $ defaults write com.google.Chrome AuthServerWhitelist "httpsL//www.example.com, https://www.example2.net, https://www.example3.org".

    Use a comma to separate between multiple domains.

    Close

  • For Mac devices running OS X, IWA is enabled automatically for Safari.

    Close

  • To enable IWA on Microsoft Edge:

    1. In the Windows Control Panel, select Network and Internet > Internet Options.
    2. Click the Security tab and click Local Intranet > Sites.
    3. Click Advanced.

    1. In the Add this website to the zone field, enter the SSO domain.
    2. Click Add.
    3. Click Close.

    Close

Admins use their organization's preferred method to enable IWA for all users. For example, an admin might use Microsoft Group Policy Object (GPO) to enable IWA for all their users. To learn more, see Kerberos Trust Relationship Configuration Guide for Windows Server 2012 & GPO Push.

Configuring Automatic ZPA Reauthentication

After you've configured your IdP for SSO and enabled IWA, you can configure automatic ZPA reauthentication:

  1. In the Zscaler Client Connector Portal, go to Administration and select Client Connector Support.
  2. On the App Supportability tab:
    1. Select Automatically Attempt ZPA Reauthentication to allow users to continue to access ZPA. When enabled, this setting is applied upon enrollment to Zscaler Client Connector.
    2. From the Timeout for Automatic ZPA Reauthentication (in seconds) drop-down menu, select the time it takes for the browser to automatically reauthenticate. The default is 30 seconds. You can also select 60, 90, or 120 seconds.
  3. Click Save.

If automatic reauthentication is unsuccessful, users are prompted to reauthenticate with their credentials using Zscaler Client Connector.

Client-Connector-Automatic-ZPA-Reauthentication

Related Articles
About App SupportabilityConfiguring User Access to Logging Controls for Zscaler Client ConnectorConfiguring User Access to Support Options for Zscaler Client ConnectorConfiguring User Access to the Restart and Repair Options for Zscaler Client ConnectorConfiguring Automatic Username Population for IdP AuthenticationConfiguring Automatic ZPA ReauthenticationRegistering Devices with ZPA IdP Username