What causes PAM error PAM-CM-1209: Not permitted to login from here?

book

Article ID: 132071

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction



When attempting to create synchronized target accounts for an Active Directory target application, we receive error code "PAM-CM-1209: Not permitted to login from here". What causes this error and how can we resolve it?

Environment

Applies to any PAM release and environment managing Active Directory target accounts.

Resolution

This error is observed if the account is not allowed to log on to the Active Directory domain controllers. In order for PAM to manage the password of accounts in Active Directory, it needs to be able to verify the stored password. This is done by attempting a logon to Active Directory with the account (distinguished or principal) name and password, even when another account is configured to update this account's password. To resolve the problem, update the privileges of the account to allow it to logon to the domain controllers from the PAM server(s).