When attempting to create synchronized target accounts for an Active Directory target application, we receive error code "PAM-CM-1209: Not permitted to login from here". What causes this error and how can we resolve it?

Applies to any PAM release and environment managing Active Directory target accounts.

This error is observed if the account is not allowed to log on to the Active Directory domain controllers. In order for PAM to manage the password of accounts in Active Directory, it needs to be able to verify the stored password. This is done by attempting a logon to Active Directory with the account (distinguished or principal) name and password, even when another account is configured to update this account's password. To resolve the problem, update the privileges of the account to allow it to logon to the domain controllers from the PAM server(s).