How do I deploy Kerberos?

This article provides step-by-step instructions for deploying Kerberos for your organization.

For more background information about using Kerberos for your organization, see About Kerberos Authentication.

Before deploying Kerberos, see Kerberos Deployment Guidelines and Kerberos Requirements.

Deploy Kerberos

A. Verify that your Kerberos realm name is a registered domain on the Zscaler service.

Log in to the Zscaler service and do the following:

  1. Go to Administration > Settings > Company Profile.
  2. On the Organization tab, verify that the realm name matches one of the domains in the Domains field.

B. Ensure that users are provisioned on the Zscaler service.

You can provision users by importing or manually adding user data to the database or by synchronizing user data from an AD or LDAP server. Note that the sAMAccountName@Windows- Domain is sent as the Kerberos identifier. You might need to change the user login attribute in your synchronization settings to map to the sAMAccountName.

C. Ensure that your outbound firewall allows the necessary connections.

Untitled Document
Source Destination Destination Port Description
Client Workstation Central Authority IP Addresses

TCP 88 or UDP 88

The choice of TCP or UDP is determined by the client. Some clients fall back to the other protocol if either TCP or UDP port 88 is blocked, but this is not guaranteed.

Enables the client to authenticate against the Zscaler Domain KDC.
Zscaler Enforcement Node IP Address Ranges TCP 8800 (The default Kerberos authentication port on ZENs.)

Enables the client to send traffic to the global Kerberos authentication port on the ZEN. Not required if Kerberos is enabled on a location.

Enabling Kerberos on a location automatically enforces Kerberos authentication, so you can send traffic to the default proxy ports, such as port 80.

NOTE:

To view the Zscaler Central Authority and ZEN IP addresses, log in to the Zscaler service and go to Help > Cloud Configuration Requirements.

D. Configure Kerberos on the Zscaler service.

Enable Kerberos as an authentication mechanism to generate the domain trust password that is used to establish the trust relationship between the Zscaler domain and your organization's domain. This password is required when you configure the trust relationship.

Log in to the Zscaler service and do the following:

  1. Go to Administration > Authentication > Authentication Settings.
  2. From the Authentication Profile tab, select Enable Kerberos.
  3. Click Save.
  4. Click Generate New Password.
  5. When the confirmation dialog appears, click OK.

    The password appears obfuscated.
  1. Click Reveal Password.
  2. Copy the password. You will need it when you establish the cross-realm trust.
  3. Click Conceal Password.
  4. Click Activate.

E. Optionally, enable Kerberos on the location.

Perform this task only if you want the service to enforce Kerberos authentication on all web traffic explicitly forwarded from the location and its associated dedicated ports. Skip this step, if you want to use Kerberos for specific users and another authentication mechanism for all other users in the location.

To enforce Kerberos authentication for all users in a location:

  1. Go to Administration > Resources > Locations.
  2. Edit the location.
  1. In the Gateway Options section, select Enforce Authentication.
  2. When Enable Kerberos Authentication appears, select it.
  1. Click Save and activate the change.

F. Configure the trust relationship on the organization's server.

See the following configuration examples:

G. Configure your users' browsers to use PAC files to forward traffic to the Zscaler service.

To use Kerberos as an authentication mechanism, your organization's users must configure their browsers to use PAC files to forward their traffic to the Zscaler service, even if their location has established an IPsec or VPN tunnel to forward traffic to the service.

For more information about the Zscaler default PAC file for Kerberos, see How do I use the Zscaler Kerberos default PAC file?