ZPA: ZSATray credential prompt on reauthentication


I am having an issue which is driving me nuts, and I cannot really explain it, I am hoping someone can provide some insight on why this is happening.


  • IDP is ADFS.
  • I am forwarding auth requests to internal “leg” of the ADFS by having a no timeout for the ADFS, so it can always be reached via the tunnel.
  • We have username, password and OTP auth via a OpenOTP
  • When timeout happens, instead of reaching the usual ADFS username and password the screen below appears.

I am quite sure before I was getting the ADFS prompt for OpenOTP token, but now, something has changed (perhaps I changed something on Zscaler side).

Can you please help me on this strange issue?


My company moved away from ADFS long ago (in favor of PHS) so I don’t have any experience getting ZPA to work with ADFS. However, I believe you would want your IDP traffic for ZPA authentication to work outside the tunnel (external interface) because you need to initially authenticate before the tunnel can be formed. This would probably also prevent the auth negotiation that is causing this Windows security popup to appear, likely due to NTLM.