Just thought I’d share some learnings from a recent POC deployment we’ve done for a customer when running Kerberos Auth with a vZEN. I know that the Product Manager for this area is getting the documentation updated, but just incase someone else runs across the same issue, I figured I would share our learnings.
- You need to request that support enables Kerberos Authentication for vZENs in the backend via ZADMIN. The fastest way to find out if the appropriate setting is enabled is to run “sudo vzen troubleshoot netstat” from the command line, and check to see that the vZEN is listening on “*.8800”.
This is required so that:
- The vZEN will listen on port 8800
- So that the vZEN will enable SPNEGO auth (kerberos authentication)
- Zscaler publish the vZEN FQDN publicly in DNS (details @https://help.zscaler.com/zia/deploying-kerberos-vzens)
Normal authentication bypasses won’t work when explicitly proxying to port 8800. These either need to be bypassed in Administration->Cloud Configuration->
Kerberos Authentication Exemption, or proxied on a standard port to the vZEN via a PAC file.
IP.ZSCALER.COM won’t show up any authentication details for users accessing it with Kerberos. This is because it relies on Cookie based authentication to provide the login info. Also when using a vZEN, IP will tell you that you are going direct to the service, as the vZEN does not include an XFF header, to prevent leakage of your internal IPs. If in doubt, contact support, or use
“sudo vzen troubleshoot netstat” from the CLI to verify that you’re seeing traffic connect.