Kerberos Configuration Example: Trust Relationship on Windows Server 2012 and GPO Push

This configuration example illustrates how to establish a one-way cross-realm trust from your organization to the Zscaler service. This one-way trust enables Zscaler to trust the authenticated users of the domain and NOT the reverse. Administrator access to the domain controller is required to establish a cross-realm trust and to use GPO to push configuration settings.

For an overview of using Kerberos, see About Kerberos Authentication.

For step-by-step instructions for deploying Kerberos, see How do I deploy Kerberos?

In this example:

  • The KDC in the organization's realm is a Windows Server 2012 r2 configured as a Domain Controller.
  • The Windows client is running Windows 8.1 and is joined to the domain.
  • The domain user, Jane Doe, can log in to the Windows client using domain credentials.
  • The Zscaler domain is the Zscaler cloud name. In this example, it is ZSCALERBETA.NET.

This section describes how to configure the KDC and the Active Directory GPO feature on a Windows Server 2012 r2. For information on Active Directory GPO and GPMC, refer to the Windows Active Directory and GPMC documentation.

Configure the Cross-Realm Trust on the Windows Server

To configure the cross-realm trust:

A. Create the New Trust

Log in to the Windows server as administrator. Open the Server Manager and do the following:

  1. Go to DNS and from the Tools menu, choose Active Directory Domains and Trusts.
    See image.
  2. In the Active Directory Domains and Trusts window, point to your domain, right-click and select Properties.
    See image.
  3. In the Properties window, go to the Trusts tab and click New Trust.
    See image.
  4. When the New Trust Wizard appears, click Next.
  5. For Trust Name, enter the Zscaler cloud name in uppercase letters and click Next.
    You can find your cloud name by looking at the URL you use to log into the Zscaler admin portal. For example, if you log into https://admin.zscalerbeta.net/, your cloud name is ZSCALERBETA.NET as shown in the image below.
    See image.
  6. For Trust Type, select Realm Trust and click Next.
    See image.
  7. For Transitivity of Trust, select Nontransitive and click Next.
    See image.
  8. For Direction of Trust, select One-way incoming and click Next.
    See image.
  9. For Trust Password, paste the password that you copied from Zscaler.
    See image.
  10. When the Wizard displays your settings, verify them and click Next.
    See image.

1a

1a

2a

2a

3a

3a

5a

5a

6a

6a

7a

7a

8a

8a

9a

9a

10a

10a

B. Configure the Trust Properties

Configure the properties of the newly configured trust.

  1. Open the Properties window of your domain.
    See image.
  2. In the Properties windows, select the following and click OK:
    • The other domain supports Kerberos AES Encryption.
    • Non-transitive only users from the directly trusted domain may authenticate in the trusting domain.
      See image.

1b

1b

2b

2b

C. Validate the Settings

Ensure that your configuration is correct before you move on to the next step.

  1. On the Windows server, open the Windows PowerShell and type the command below. Replace "ZSCALERBETA.NET" with the name of the Zscaler cloud that you use.
		Get-ADObject -Filter {trustPartner -eq "ZSCALERBETA.NET"} -Properties *
  1. Ensure that the following values are displayed:
    • CN: Zscaler cloud name (In this example, it is ZSCALERBETA.NET.)
    • msDS-SupportedEncryptionTypes: 24
    • Name: Zscaler cloud name (In this example, it is ZSCALERBETA.NET.)
    • objectClass: trustedDomain
    • trustAttributes: 1
    • trustDirection: 1
    • trustPartner: Zscaler cloud name (In this example, it is ZSCALERBETA.NET.)
    • trustType: 3

      See image.

2c

2c

D. Configure GPO to Push the Configuration to Users

On the Windows server, open the Server Manager and do the following:

  1. Go to the Dashboard, and from the Tools menu, select Group Policy Management.
    See image.
  2. Go to Group Policy Management > Forest > Domains > domain_name > Default Domain Policy, right-click and select Edit.
    See image.
  3. On the Group Policy Management Editor, go to Computer Configuration > Policies > Administrative Templates > System > Kerberos and from the Settings panel, select Define Interoperable Kerberos V5 realm settings.
    See image.
  4. On the Define the Kerberos V5 realm settings dialog, select Enabled and click Show.
    See image.
  5. Complete the fields as follows:
    • Value Name: Enter the Zscaler cloud name. In this example, it is ZSCALERBETA.NET
    • Value: Enter <k>kerberos.zscaler_cloud</k>. In this example, the value is <k>kerberos.zscalerbeta.net</k>
      See image.
  6. Click OK to exit the dialog, and then click OK to exit the Define the Kerberos V5 realm settings dialog.
  7. Select Define host name-to-Kerberos realm mappings.
    See image.
  8. On the Define host name-to-Kerberos realm mappings dialog, select Enabled and click Show.
    See image.
  9. Complete the fields as follows, and then click OK:
    • Value Name: Enter the Zscaler cloud name. In this example, it is ZSCALERBETA.NET
    • Value: Enter the Zscaler domain names. In this example, it is .zscalerbeta.net; .gateway.zscalerbeta.net

      IMPORTANT:
      Both the domain names must have leading dots to match all sub-domains.
      See image.
  10. Close the Group Policy Management Editor.
  11. Go to Group Policy Management > Default Domain Policy and click the Settings tab.
    See image.
  12. Expand Computer Configuration > Administrative Templates > System/Kerberos and verify each policy.
    See image.
  13. Scroll to the next policy.
    See image.

1d

1d

2d

2d

3d

3d

4d

4d

5d

5d

7d

7d

8d

8d

9d

9d

11d

11d

12d

12d

13d

13d

E. Validate the GPO Configuration

To validate the GPO configuration:

  1. Open the Windows PowerShell and enter the following command to list the GPO registry value for the Zscaler KDC:
get-gpregistryvalue -key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\ MitRealms" -name "Default Domain Policy"
  1. Verify the following values:
    • ValueName: ZSCALERBETA.NET
    • Value: <k>kerberos.zscalerbeta.net</k>
      See image.
  2. Enter the following command to list the GPO registry value for the Zscaler domain:
get-gpregistryvalue -key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\ domain_realm" -name "Default Domain Policy"
  1. Verify the following values:
    • ValueName: ZSCALERBETA.NET
    • Value: .zscalerbeta.net; .gateway.zscalerbeta.net
      See image.

2e

2e

4e

4e

F. Configure the Windows Workstation

Log in to the Windows workstation, open the command prompt and run the following commands:

klist ensures that you are logged in to the domain and can contact the domain controller. It displays the Kerberos tickets that were used by the workstation to log in to the domain. If, when you run klist,the Kerberos tickets are not displayed, then there is an inherent domain or workstation configuration issue that must be resolved before you proceed.

   gpupdate /force

You can verify that the Zscaler Kerberos settings have been synchronized to the client and that the registry was updated by doing one of the following:

  • Run the following queries in the Windows command prompt or the Windows Powershell:
	reg query 
	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\domain_realm
	reg query 
	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\MitRealms

OR

  • Open the Registry editor and verify the entries, as shown below.

Ensure that the browser is configured with the Kerberos PAC file URL.

Open the browser and browse to a site to ensure that you are not challenged for authentication or that the browser displays an “Internet Access Denied” error page.