I’m trying to get web sign-in working on the Windows 11 pre-login screen while using ZCC with strict enforcement enabled. When ZCC is turned off and the executable itself isn’t running, web sign-in works perfectly fine. But when it’s on, it’ll say something along the lines of, “something went wrong, please wait a bit and try again” when I try to launch the sign-in window.
I’ve troubleshooted with their support for weeks, adding tons of Microsoft-related URLs into the PAC file to return direct, all without success.
I’m curious if anyone else has went down the same path and could share their expertise. Thanks!
Does it work without strict enforcement? (Just as a baseline)
By enabling Machine Tunnels and setting up the appropriate App Segments I have gotten it to work with traditional AD, but for EntraID joined machines then you would have to have the iDP bypassed as a “VPN”, or I suppose you could do an App Segment for that as well.
That was it! I added login.microsoftonline.com to the gateway VPN field and it worked.
Thank you!
Just tested; web sign-in works normally when not using strict enforcement
Wouldn’t this approach break the Tenant Restrictions feature in ZIA, assuming it’s in use? I would have thought bypassing the MS login URL via the Host Gateway VPN would prevent all inspection and thus break Tenant Restrictions.
Grab those logs and compare to one with strict enforcement on. Something must not be getting through or being ssl inspected that shouldn’t be. What’s the IDP?
I sifted through the logs and added a bunch of broad wildcard domains like *.microsoft.com and *.live.com to my PAC file. Sometimes the page will load but it never completes the authentication.
I’m using Entra