Technical Tip: Kerberos Authentication session still attached to a Logged-off User in FortiGate
| Description | This article describes the reasons why FortiGate sees the Kerberos authentication session of the old user who, while logged-off, still attached to the newly logged-on user when using the same computer. It also shows a possible alternative authentication method. |
| Scope | FortiGate with Kerberos Authentication. |
| Solution | Problem:
When a user logs off and a new user logs on to the same computer, FortiGate still sees Kerberos authentication session traffic coming from the old user.
Solution:
This issue occurs because once user authentication happens through Kerberos, FortiGate does not revalidate the session and keeps the IP address of the computer associated with the old user name. This is expected behavior for Kerberos.
In this case, it is possible to use FSSO and install the collector agent on the Domain controller and monitor that collector agent from FortiGate. |