search cancel

Browsing Through Edge SWG Returns Error, Account Cannot Be Used From This Location

book

Article ID: 257386

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

When navigating to a website through an SG, the browser returns, "Account cannot be used from this location."

Cause

The active directory user account was created with restrictions on what client workstation(s) can be used to login.

 

From a packet capture, authentication may seem like it's successful but the RPC call between the proxy and domain controller will show "Error: STATUS_PENDING"

 

Similarly, an LSA debug taken on the proxy will show the following

8045.514 TRACE: lsass - [ntlm_gss_accept_sec_context() gssntlm.c:1402] Error code: 1329 (symbol: ERROR_INVALID_WORKSTATION)

8045.514 TRACE: lsass - [NtlmServerAcceptSecurityContext() acceptsecctxt.c:179] Error code: 1329 (symbol: ERROR_INVALID_WORKSTATION)

8045.514 TRACE: lsass - [LsaSrvAuthenticateUserEx() auth.c:438] Failed to authenticate user (name = 'test_user') -> error = 1329, symbol = ERROR_INVALID_WORKSTATION, client pid = 762

8045.514 NTLM authentication failed: 0xC0000070(-1073741712)

8045.514 TRACE: lwio - [RdrSocketTask() socket.c:1365] Status: STATUS_PENDING = 0x00000103 (259)
8045.514 TRACE: lwio - [RdrSocketReceivePacket() socket.c:732] Status: STATUS_PENDING = 0x00000103 (259)
8045.514 TRACE: lwio - [RdrSocketRead() socket.c:1991] Status: STATUS_PENDING = 0x00000103 (259)

8045.511 Thread: 0x51002521 Start auth.

 

Resolution

The domain administrator needs to modify the user account to allow the relevant authorized computer(s)

active directory users and computers > user > properties > account > log on to > the following computers

Attachments