Troubleshooting Kerberos

Kerberos authentication can be affected by some network configuration parameters, such as time synchronization. This article provides instructions for troubleshooting Kerberos on your domain controller and on your users' devices.

There are four major components involved with Kerberos authentication.

  • Your Zscaler cloud, which includes the Kerberos server (KDC), the Zscaler Central Authority (CA), and the Zscaler Enforcement Node (ZEN).
  • Your domain controller, which includes a KDC configured to do cross-real authentication.
  • Your users' devices, which are joined to your domain and have obtained cross-real settings from the domain controller through GPO.
  • A network infrastructure which connects all three of the above components, and includes switches, routers, firewalls, etc.

For more background information about using Kerberos for your organization, see About Kerberos Authentication.

Zscaler recommends that you first troubleshoot Kerberos on your domain controller.

Troubleshooting on Your Domain Controller

Before troubleshooting, ensure that the administrator has been provisioned on the Zscaler service as a user, so that Kerberos authentication does not fail.

To troubleshoot on your domain controller, do the following:

  1. Log in to your domain controller.
  2. Ensure that your domain controller has the correct time and date, because the Kerberos protocol uses timestamps. If the time and date settings on your domain controller differ from the Zscaler KDC by more than five minutes, authentication will fail.
  3. Configure the browser to use Zscaler cloud on port 8800, the default Kerberos authentication port on ZENs. Internet Explorer and Mozilla Firefox browsers support Kerberos authentication by default.
  4. Open https://www.zscaler.com/.
    If the page is rendered properly, then the cross-realm settings are configured properly, and you can skip the next step and go to step 6.
  5. If the cross-realm settings are configured incorrectly, then the ZEN displays a page with an error code.
    For more information about the error codes, see ZEN Error Codes for Kerberos.
  1. Open Microsoft PowerShell and run the command klist purge to clear the Kerberos ticket cache.

After clearing the Kerberos ticket cache, open https://www.zscaler.com/.
Then, in PowerShell, run the command klist  

If the following three Kerberos ticket-granting tickets (krbtgt) are not displayed when you run klist, then there is an issue with the server of that ticket.  

  • Zscaler KDC krbtgt ticket: The user device obtains this ticket from your organization's domain controller. This ticket grants access to the Zscaler KDC. If this ticket is not displayed, then the configuration on your KDC may be incorrect. Please configure your KDC again.
  • Your company's KDC krbtgt ticket: The user device obtains this ticket from your organization's domain controller. This ticket grants access to that domain controller. If this ticket is not displayed, then your company's internal KDC is not issuing Zscaler KDC tickets. Please contact your company's IT support.
  • ZEN krbtgt ticket: The user device obtains this ticket from the Zscaler KDC. This ticket grants access to the ZEN. If this ticket is not displayed, then the ZEN is not issuing tickets. Please contact Zscaler Support.
  1. In Windows PowerShell, run the command nltest /domain_trusts
    The Zscaler domain must be in the domain trusts list as an inbound trust.
    • NOTE: Your Zscaler domain name is the same as your Zscaler cloud name. In this example, it is ZSCALERTWO.NET. To learn how you can find your cloud name, see What is my cloud name?

If you do not see the Zscaler domain in the domain trusts list, you must add it as a trusted domain. See A. Create the New Trust in Kerberos Configuration Example: Trust Relationship on Windows Server 2012 and GPO Push.

  1. If the Zscaler KDC domain is registered correctly, you can ping kerberos.<your_cloud_name> in Windows PowerShell.
    The IP address displayed must be the Zscaler CA's IP address.

If the Zscaler KDC domain has been configured incorrectly, reconfigure the KDC. For instructions, see Kerberos Configuration Example: Trust Relationship on Windows Server 2012 and GPO Push.

  1. To check cross-realm configuration, do the following:
    1. Log in to the Windows server as administrator. Open the Server Manager and go to DNS. From the Tools menu, choose Active Directory Domains and Trusts.
    2. Right-click on your domain and select Properties. In the Properties window, go to the Trusts tab.
    3. Select the Zscaler domain, and then click Properties.
      See image.
      • NOTE: If the Zscaler domain is not displayed, you must add the Zscaler domain as a trusted domain. See A. Create the New Trust in Kerberos Configuration Example: Trust Relationship on Windows Server 2012 and GPO Push.
    4. Ensure that the option The other domain support Kerberos AES Encryption is enabled.
      See image.
    5. Note that there is no way to check the cross-realm password of an added trust. You must delete the domain trust and re-add the trust with the correct password.

Step 9 Image 1

Step 9 Image 1

Step 9 Image 2

Step 9 Image 2
  1. To validate the GPO configuration:
    1. Open Windows PowerShell and enter the following command to list the GPO registry value for the Zscaler KDC:
      get-gpregistryvalue -key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\MitRealms" -name "Default Domain Policy"
    2. Verify the following values:
      • ValueName: <your_cloud_name>
        • In this example, the value is ZSCALERTWO.NET
      • Value: <k>kerberos.<your_cloud_name></k>
        • In this example, the value is <k>kerberos.zscalertwo.net</k>
          See image.
    3. Enter the following command to list the GPO registry value for the Zscaler domain:
      get-gpregistryvalue -key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\domain_realm" -name "Default Domain Policy"
    4. Verify the following values:
      • ValueName: <your_cloud_name>
        • In this example, the value is ZSCALERTWO.NET
      • Value: .<your_cloud_name>; .gateway.<your_cloud_name>
        • In this example, the value is .zscalertwo.net; .gateway.zscalertwo.net
          See image.

GPO Image 1

GPO Image 1

GPO Image 2

GPO Image 2

If the correct values are not displayed, verify your configuration. For instructions, see Kerberos Configuration Example: Trust Relationship on Windows Server 2012 and GPO Push.

Troubleshooting on User Devices

It is possible for Kerberos authentication to work on the domain controller, but to not work on a user's device. In this case, there may be an error with the GPO settings. You must check if GPO settings have been propagated from the domain controller to users. See D. Configure GPO to Push the Configuration to Users in Kerberos Configuration Example: Trust Relationship on Windows Server 2012 and GPO Push.

After configuring GPO to push the cross-realm trust to your users, complete step 6 of this article on your user's device to check for the cached Kerberos tickets. Then, complete the rest of the steps to finish troubleshooting on your user's device.