Unable to get Kerberos ticket with ZPA

I noticed that certain users are unable to get/fetch kerberos tickets with ZPA. Kerberos team states that,it might be DNS issue or reach ability issue. We are sure that, there shouldn’t be reach ability issue and other users can get/fetch kerberos ticket. Issue happens in certain machine and its consistent. When we execute "klist get , we get error as below.

Current LogonId is 0:0x969xyz
Error calling API LsaCallAuthenticationPackage (GetTicket substatus): 0x51f
klist failed with 0xc000005e/-1073741730

Did anyone experienced similar issue with ZPA?

Regards
Ganesh Krishnan

Hi Ganesh,

Best practice is to configure your domain controllers into an App Segment and add the ports Microsoft uses to authenticate such as 88, 389 etc. ensure there is no reauthentication timeout on the Access Polcy.

Yes we have created individual App seg for Domain controller and allowed necessary ports. We have multiple application authenticates using the Domain controller. Issue we notice something specific to getting Kerberos ticket. Error is very much generic stating “machine has to be part of Domain”.

Kerberos team suspect that machine has some issue related to DNS. As per them machine will use DNS server to find SITES and kerberos server in that SITE. If it cannot get response, then it fails to identify the Domain.

Regards
Ganesh Krishnan

Krishnan,

Kerberos will require SRV records to be received by user’s device. With ZPA, this translates to a wild card domain on any port. Can you check 1) if such a domain is configured 2) SRV records are coming back to user’s device.