User fails to Authenticate (BCAAA or IWA-Direct). Policy trace shows "Last Error: Account cannot be used from this location".


Article ID: 167072


Updated On:


ProxySG Software - SGOS


Certain users attempt to authenticate but are denied due to authentication.  Users are unable to access web due to the following error displayed in a policy trace:

authentication status='account_wrong_place' authorization status='not_attempted'
EXCEPTION(configuration_error): Authentication failed because of a configuration problem
Last Error: Account cannot be used from this location.



The main reason this occurs is when you have certain users that are in restricted AD groups that are only allowed to logon to their current PC which is defined in your AD under account and Logon Workstation.

In troubleshooting this issue, and to identify that this is the resolution to your current issue, get a policy trace.  If you see what was highlighted above, this is an indication that the user only has logon permissions to their local computer.

In Proxy authentication, the Proxy (using IWA-Direct or BCAAA ) acts as surrogate on behalf of the user.  AD sees this as a device which the user is logging into because the Proxy is passing user credentials for authentication to the AD.

If the user is not able to logon to the Proxy (not literally) then the ProxySG will be unable to authenticate this user and will fail with the following error:

Last Error: Account cannot be used from this location.

To resolve this issue, you need to log into the AD and go to the users AD settings and to the Account setting and add the DNS or NetBios of the ProxySG as an authorized computer the user can access.

Or you may see something like this with IWA direct using the ProxySG Hostname.

User-added image