Sharepoint 401 unauthorize error on Tunnel 2.0

Hi Altab_Khan,
have you solved this?
Now, we have the same issue.
Best regards

One of my user is working from home and trying to access internal SharePoint but getting “401 unauthorizes” error in Internet explorer 11 & EDGE(works in chrome).
From office user is able to access SharePoint properly(traffic is going through GRE tunnel 1.0).
when user work from home facing issue the issue if ZIA is turnoff then he can access SharePoint.
traffic is going through ZPA tunnel 2.0.
Kindly help me what to do?
Thank you

what I have found in Internet:

Security Zones in Edge – text/plain (

As it has some quite interesting findings:

Chromium goes further and favors making decisions based on explicitly-configured site lists and/or command-line arguments.

Nevertheless, in the interest of expediency, Chromium today uses Windows’ Security Zones by default in two places:

When deciding how to handle File Downloads, and

When deciding whether or not to release Windows Integrated Authentication (Kerberos/NTLM) credentials automatically.

as well as:

and if a Proxy Configuration script was used, any sites configured to bypass the proxy would be mapped to the Intranet Zone.

This we do in Tunnel 1 FW Profile: Internal IPs have return Direct, which is a bypass

In Tunnel 2 FW Profile we have instead a return “PROXY ${ZAPP_TUNNEL2_BYPASS}”;

From a browser perspective, this is not a bypass.

Besides “return Direct” it seems that URLs can be configured in Chromium Browsers, but I did not find a detailed description, except:
By default, Microsoft Edge evaluates URLACTION_CREDENTIALS_USE to decide whether Windows Integrated Authentication is used automatically, or if the user will see a manual authentication prompt. Configuring the AuthServerAllowlist site list policy will prevent Zone Policy from being consulted.
Also I do not know, if this still can be manually configured on the client or only by GPO.

BTW: Zscaler TAM suggested to use some features availabe in ZCC +3.8. Maybe this helps, I am waiting for feedback.

Best regards

Test showed that activating these settings in the forwarding profile (Off-trusted, VPN trusted):

and then not longer use “return “PROXY ${ZAPP_TUNNEL2_BYPASS}”;” but “return “DIRECT”;”
solved our issue.
Since the PAC file of the forwarding profile only contained return “DIRECT”;, we removed it completely. Now we have to maintain only one pac and the performance should be better some ns since the browser does not longer need to evaluate the forwarding profile pac file. :star_struck:

BTW: I am not so sure, if this create security issues. “DIRECT” will advise the Browser to “release Windows Integrated Authentication (Kerberos/NTLM) credentials automatically.” While in explicit proxy mode for internet traffic the browser will not release credentials.

Best regards

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.