All posts
ConceptsOctober 16, 20251 min read

Kerberos authentication behind Zscaler: How to prevent inspection from breaking tickets

This is the story many teams face when trying to get Kerberos to work behind Zscaler’s cloud security platform. Kerberos uses tickets. Zscaler uses inspection. The two can clash unless you understand how to configure them to trust each other. Kerberos Zscaler integration starts with knowing that Kerberos is sensitive to packet changes. Zscaler’s SSL inspection modifies traffic. If your client or application expects untouched Kerberos tickets, inspection can break authentication. That is why byp

Free White Paper

Service-to-Service Authentication: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

This is the story many teams face when trying to get Kerberos to work behind Zscaler’s cloud security platform. Kerberos uses tickets. Zscaler uses inspection. The two can clash unless you understand how to configure them to trust each other.

Kerberos Zscaler integration starts with knowing that Kerberos is sensitive to packet changes. Zscaler’s SSL inspection modifies traffic. If your client or application expects untouched Kerberos tickets, inspection can break authentication. That is why bypass rules matter. In Zscaler, set policy to skip inspection for Kerberos traffic from your domain controllers and key servers. Confirm the ports and protocols: Kerberos runs on TCP and UDP port 88, and can use port 464 for password changes.

Check DNS resolution. Kerberos depends on precise hostnames in SPNs (Service Principal Names). Zscaler may reroute or proxy requests, creating mismatches. Use Zscaler’s PAC files or forwarding rules to keep requests direct when they involve authentication. Avoid hostname tampering or unexpected IP rewriting in the Kerberos flow.

Continue reading? Get the full guide.

Service-to-Service Authentication: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Validate time sync. Kerberos tickets expire fast if clocks drift. Zscaler’s processing doesn’t fix clock issues; it will only expose them if already present. Keep NTP servers aligned across endpoints and servers.

Test with packet captures before and after routing through Zscaler. This shows whether tickets are intact and where inspection occurs. Deploy changes incrementally; verify that the bypass rules are applied correctly. Kerberos Zscaler troubleshooting is simpler when you isolate each layer: authentication, routing, inspection, and policy enforcement.

When Kerberos and Zscaler work together, authentication is fast, secure, and stable. The friction comes from security inspection intersecting with authentication protocols that were never designed for packet modification. Manage that boundary, and the system will hold.

See how to design, test, and validate secure integrations like Kerberos Zscaler without the usual overhead. Build and run it live in minutes at hoop.dev.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts