ZPA is capable to work with Active Directory, Kerberos, DNS, SCCM and DFS. It is important to consider the implication Application Segments when defining the Active Directory since ZPA performs DNS proxy functions, SNAT server connections. Since user application request may passed through multiple app connectors serving the application, potentially user are presented to be accessing through multiple locations which affects AD site selection.
Domain Controller Enumeration & Group Policy Requirements
Dedicated Connector groups for Active Directory servers
App connectors have connectivity to AD on respective ports and IP addresses
TCP/88: Kerberos
TCP/464: Kerberos Password Change
TCP/3268: Global Catalog
TCP/3269: Global Catalog SSL (Optional)
TCP/135: MSRPC
TCP/139: Common Internet File Service (CIFS)
TCP/445: CIFS
TCP/49152-65535: High Ports for RPC
UDP/88: Kerberos
UDP/123: NTP
UDP/464: Kerberos Password Change
UDP/389: LDAP
UDP/445: CIFS
Enable "Dynamic Server Discovery" server groups with defined reachable App Connector Group
Define Wildcard application segment e.g. *.exampleorg.com
Application segment to be configured with the AD server group
AD Authentication
For Kerberos authentication to work, the wildcard domain needed to be defined for lookups within the AD server farm
Required ports to defined for Kerberos Authentication
TCP/88: Kerberos
TCP/464: Kerberos Password Change
UDP/88: Kerberos
AD Application segment to defined for the configured AD server group
