Sign in Subscribe
Concepts

Kerberos authentication behind Zscaler: How to prevent inspection from breaking tickets

Andrios Robert

1 min read

This is the story many teams face when trying to get Kerberos to work behind Zscaler’s cloud security platform. Kerberos uses tickets. Zscaler uses inspection. The two can clash unless you understand how to configure them to trust each other.

Kerberos Zscaler integration starts with knowing that Kerberos is sensitive to packet changes. Zscaler’s SSL inspection modifies traffic. If your client or application expects untouched Kerberos tickets, inspection can break authentication. That is why bypass rules matter. In Zscaler, set policy to skip inspection for Kerberos traffic from your domain controllers and key servers. Confirm the ports and protocols: Kerberos runs on TCP and UDP port 88, and can use port 464 for password changes.

Check DNS resolution. Kerberos depends on precise hostnames in SPNs (Service Principal Names). Zscaler may reroute or proxy requests, creating mismatches. Use Zscaler’s PAC files or forwarding rules to keep requests direct when they involve authentication. Avoid hostname tampering or unexpected IP rewriting in the Kerberos flow.

Validate time sync. Kerberos tickets expire fast if clocks drift. Zscaler’s processing doesn’t fix clock issues; it will only expose them if already present. Keep NTP servers aligned across endpoints and servers.

Test with packet captures before and after routing through Zscaler. This shows whether tickets are intact and where inspection occurs. Deploy changes incrementally; verify that the bypass rules are applied correctly. Kerberos Zscaler troubleshooting is simpler when you isolate each layer: authentication, routing, inspection, and policy enforcement.

When Kerberos and Zscaler work together, authentication is fast, secure, and stable. The friction comes from security inspection intersecting with authentication protocols that were never designed for packet modification. Manage that boundary, and the system will hold.

See how to design, test, and validate secure integrations like Kerberos Zscaler without the usual overhead. Build and run it live in minutes at hoop.dev.