WHfB and Zscaler

by Nivi Posted on

In one of our recent projects, we encountered a puzzling challenge that left both Microsoft and our team scratching their heads. Join us as we dive into the specific environment details and unravel the complexities of Windows 11 22H2 Enterprise AAD, Intune management, White Glove Autopilot enrollment, and Windows Hello for Business with Cloud Trust.

Environmental Specifics

  1. Windows 11 22H2 Enterprise AAD joined and fully managed by Intune
  2. Devices enrolled using White Glove / Pre-provisioning Autopilot
  3. Windows Hello for Business configured with Cloud Trust
  4. Zscaler with ZIA and ZPA (Private tunnel with a line of sight to the Domain controllers)
  5. Carve-out project with a greenfield deployment, including migration of Business applications and utilization of Kerberos authentications
  6. Presence of DFS fileservers

The Issue: DFS Access and Authentication Challenges

During our project, we encountered a perplexing issue where users, while logging into their devices with Windows Hello for Business, faced difficulties accessing DFS local shares. They encountered incorrect password prompts, but after approximately 10 minutes, the access would start functioning correctly. This inconsistency affected users randomly.

Troubleshooting Journey

  1. Analyzing TGT Tickets: Upon running the “klist tgt” command, we noticed that no tickets were being generated, which hinted at a potential underlying cause.
  2. Failed Authentication: Local applications immediately after device startup or reboot failed to authenticate. However, after approximately 10 minutes, they began functioning normally.
  3. Zscaler Investigation: Although we suspected Zscaler’s involvement, we couldn’t definitively pinpoint it as the root cause.
  4. A Wild Guess: Considering the symptoms, we speculated that the TGT ticket might be getting corrupted during the issue and reissued after a specific interval, leading us to formulate a testing plan.

To test our thesis after the machine was rebooted or started we ran the below command as administrator:

klist purge_bind

Boom! It started to work.

This means when the client is getting the Kerberos ticket the ZPA is not fast enough to come up resulting in a failed ticket. The machine retries after 10 mins by default and this is set in the registry value of FarKdcTimeout.

After 10 mins when it retries the ZPA is already established and it gets a new ticket and all works.

Resolution

As there was no way to speed up the ZPA connection so we went with a solution of running list purge_bind after 10-sec post-user login as a scheduled task.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Proudly powered by WordPress | Theme: Code Blog by Crimson Themes.