How do I use the Zscaler Kerberos default PAC file?

All users who leverage Kerberos for authentication must configure their browsers to use PAC files to forward their traffic to the Zscaler service, even if their location has established an IPsec or VPN tunnel to forward traffic to the service.

Before deploying Kerberos, see Kerberos Deployment Guidelines and Kerberos Requirements.

For step-by-step instructions for deploying Kerberos, see How do I deploy Kerberos?

Zscaler provides a default Kerberos PAC file. To view it, log in to the service and do the following:

  1. Go to Administration > Resources > Hosted PAC Files.
  2. Point to the Kerberos PAC file and click the view icon.

The Zscaler Kerberos default PAC file specifies the following:

  • Kerberos requires that the Zscaler Enforcement Nodes (ZENs) be addressed as Fully Qualified Domain Names (FQDNs). To accommodate this requirement, the Kerberos PAC file contains the variables ${GATEWAY_HOST} and ${SECONDARY_GATEWAY_HOST}, which the service substitutes with the domain names of the primary and secondary ZENs.
  • It forwards web traffic to port 8800 of the ZEN. ZENs challenge all traffic that it receives on port 8800 for a Negotiate Authentication (Kerberos) ticket for the Zscaler service.
  • It also provides the following guidelines:
    • If your organization has a KDC proxy (with Microsoft DirectAccess) deployed for road warrior access, the KDC proxy traffic is also sent to the ZEN, resulting in authentication failure. Therefore, you must create a new PAC file that includes a line to bypass the KDC proxy:
		if shExpMatch(host,"kdcproxy.domain.com") return "DIRECT"; 
  • Do not forward traffic destined within the realm to the Zscaler service, so the ZEN does not challenge any traffic within the realm. Create a new PAC file that includes a line to bypass your organization's realm.
  • If the location has Kerberos enabled, then traffic can be forwarded to the proxy ports (80, 443, 9400, 9443) or to the dedicated port associated with that location. The service automatically challenges all explicitly forwarded proxy traffic from that location for a Kerberos ticket for the Zscaler domain.

IMPORTANT:

Zscaler strongly recommends that you either use the Zscaler default PAC file for Kerberos or copy and paste it to a new PAC file, and then add any necessary arguments and exceptions.