The resolution of this issue took longer than expected due to sickness and the holiday season. However, we’ve now identified the root cause of an intermittent Kerberos authentication issue in our hybrid environment, which occurs when laptops use Zscaler for network access.
The problem arises during startup when the Zscaler Client Connector (ZCC) is still initializing, and ZPA isn’t fully connected. At this point, the system generates a Kerberos ticket request to the Domain Controller (DC) while mounting network drives. Since there’s no line of sight to the DC yet, the client creates a negative cache for the Kerberos request. This cache prevents subsequent Kerberos requests from succeeding, even after ZPA establishes connectivity, until the cache expires (typically 8-10 minutes).
Solution: Zscaler recently introduced a "Clear Kerberos DC" setting in ZCC version 4.5, which automatically clears the Kerberos cache when ZPA connects. We are currently testing this solution with a selected group of users to ensure it resolves the issue without causing unintended side effects.