The workstation needs to ascertain which domain controller(s) it should connect to for authentication and how to retrieve it’s Group Policy. However there is a deeper process for resolving the Active Directory Domain Controllers.ĭomain Controller Enumeration & Group PolicyĪ workstation is domain joined, and therefore exists in an Active Directory domain (e.g.
In steps 3 & 4 the client requests/receives the TGT from the Domain Controller, and subsequently requests/receives service tickets and TGT for the cross-realm. This would also cover *. and *. as well as *. since the wildcard includes two subdomains resolution. In the example above, Zscaler Private Access could simply be configured with two application segments It’s also clear from the above that it’s important for all domains to be resolvable across trusts for Kerberos Authentication to function. As a best practice, using A Records rather than CNAME records (aliases) is best for Kerberos authentication. Additional issues may occur regardless of ZPA, such as Kerberos ticket size, and SID complications for cross-domain authentication. Problems occur with Kerberos authentication if there are issues with NTP (Time), DNS (Domain Name Services resolution) and trust relationships which should be considered with Zscaler Private Access. There may be many variations on this depending on the trust relationships and how applications are resolved. User requests resource sending Service Ticket HTTP/.User receives Service Ticket HTTP/ from.User requests resource (Service Ticket) HTTP/ from DC sending TGT krbtgt//.DC returns unable to issue ticket - directs user to domain and issues “Cross Realm” ticket krbtgt//.User requests resource (Service Ticket) HTTP/ sending TGT from Domain Controller.User receives Kerberos ticket for (Ticket Granting Ticket –krbtgt//).User connects to Domain Controller (TCP/88).challenges for Kerberos authentication (401 Authenticate-Negotiate).Ĭonsider the process for a user in domain to access a resource in :. A user account in would have the format, and similarly a user account in would have the format. There is an Active Directory Trust between and, which creates an Active Directory Forest.Īny client within the forest should be able to DNS resolve any object within the forest, and should be able to connect to them. There is a separate Active Directory Domain which has a child domain. In this diagram there is an Active Directory domain, with child domains (sub domains) europe and asia, which form and. A good reference guide is available from Microsoft ( How trusts work for Azure AD Domain Services | Microsoft Docs), and we’ll use this to describe Forests and Trusts. Since Active Directory is based on DNS and LDAP, it’s important to understand the namespace. The structure and schema for Active Directory is irrelevant for the functioning of Zscaler Private Access, however it is important to understand it to ensure Application Segmentation functions correctly. The security overlay could be a simple password, NTLM Authentication Blob, Kerberos authentication token, or Client Certificate, where these credentials are stored securely in the user object in Active Directory. It is a tree structure exposed via LDAP and DNS, with a security overlay. It can be utilised as a data structure to store configuration data for Active Directory objects and applications such as SCCM. This document is NOT intended to be an exhaustive description of Active Directory, however it will describe the key services, and how Zscaler Private Access functions to utilise them.Īctive Directory is used to manage users, devices, and other objects in an organization.
The document then covers how Zscaler Private Access should be configured to work transparently with it with these Microsoft Services.
This document describes some of the workings of Microsoft Active Directory, Group Policy and SCCM. Even with the migration to Azure Active Directory, companies continue to utilise Active Directory in a Hybrid environment where workstations may be joined solely to AD, or both AD joined and WorkPlace joined to AAD.Ĭompanies deploying Zscaler Private Access should consider the connectivity workstations need to Active Directory to retrieve authentication tokens, connect to file shares, and to receive GPO updates. Microsoft Active Directory is used extensively across global enterprises.