Technical Tip: Machine accounts in Kerberos not counted in licensing

Description

This article describes how FortiProxy handles machine accounts during Kerberos authentication and clarifies why these accounts do not impact license seats.

Scope

FortiProxy.

Solution

Unlike some products that count unique usernames, FortiProxy licensing is based on active sessions.

When checking the Firewall User Session in FortiProxy, machine accounts may be present together with user sessions, but usually do not consume any seats. 

Each purchased seat provides a capacity of 25 concurrent UTM sessions, as outlined in the documentation on FortiProxy license sharing (overview).

Machine accounts will typically appear with a $ suffix (if using Windows AD). The $ indicates a machine account authenticated via Kerberos or NTLM.

Figure 1. Machine Accounts

When a Windows machine authenticates via Kerberos (e.g., NB-002375$), FortiProxy creates a temporary session entry.

However, as shown in the debug trace below, these accounts do not count against user quota.

user:NS-002375$@forti.lab@172.20.152.1(0x7f4d815e7fd8), upn_domain=, type:SES, vf:0, ref:1, ntlm:0, has_fsae:0 active_auth:1 tp_proxy_auth:0 gu
est:0 fw:0
user:1(0x7f4d848c06a8), ip:2(0x7f4d7169fe08), scheme=3, auth=no, tfa=no, timeout:~579, id:15041
time: create=6395 access=21 auth=6395 traffic=26
out_ip=0.0.0.0 out_ipv6=:: ftp_out_ip=0.0.0.0
concurrent user limit: 65536 lifetime=6395s, creation time:

licensed session count 0 ==>
local_ldap_cache_gen: 0
global_ldap_cache_gen: 13

A license seat is consumed only when a session is authenticated and matches a policy requiring inspection. 

Machine accounts do not count toward the license unless they authenticate and generate traffic subject with UTM inspection.