To use Kerberos as an authentication mechanism, your organization must do the following:

  • Provision users on the Zscaler service. Kerberos is an authentication mechanism. It is not a provisioning method, like SAML or LDAP synchronization. Users must be provisioned on the Zscaler service before they can use Kerberos for authentication. (For supported provisioning methods, see Choosing Provisioning and Authentication Methods.)
  • Use a PAC file to forward traffic to the Zscaler service. The service supports Kerberos authentication only for traffic forwarded in explicit mode. It does not support Kerberos for traffic forwarded in transparent mode; that is, traffic forwarded through a GRE or IPsec tunnel and the browser is not configured to use a PAC file to forward traffic. (See How do I use the Zscaler Kerberos default PAC file?)
  • Ensure that the DNS server on site can resolve the Zscaler service host names (Zscaler PAC servers; Central Authority, which hosts the Zscaler Key Distribution Center (KDC); and ZENs). If this is not possible from the location, then your organization must conditionally forward Zscaler cloud domain resolution to the Zscaler DNS servers.
  • Ensure that your firewall allows connections to port 88/8800 in order to allow Kerberos authentication to work.
  • Ensure that the domain suffix of either the client or server, in the Kerberos ticket obtained from your organization's domain controller, is a registered domain in the Zscaler account. In the example below, the domain suffix is SAFEMARCH.COM.
    • To see the Kerberos tickets, open Windows PowerShell and run the command klist, as shown in the image below.

Additionally, the following are required in a Windows environment:

  • A domain controller that runs Windows Server 2008 or higher
  • Client devices must run Windows Vista or higher
  • Client devices must be joined to the domain


Before deploying Kerberos, see Kerberos Deployment Guidelines.

For step-by-step instructions for deploying Kerberos, see How do I deploy Kerberos?