Some users are getting PAM-UI-1003: unauthorized and PAM-UI-1036: unauthorized access either during login or when trying to use PAM after a successful login. The users are accessing PAM through an external load balancer.

The PAM server logs show that connections from this client into PAM go to different cluster members for the same user session, either because the external load balancer doesn't enforce sticky sessions/session affinity, or connections from the client to the load balancer are routed inconsistently and the load balancer sees them coming from different source IPs.

PAM user session are valid only on the cluster member where the user is authenticated. The PAM client does not have one static network connection into PAM but works like a browser that establishes connections as needed. External load balancing needs to be configured such that connections from a given client always go to the same PAM server while a session is active. See the comment on session affinity on documentation page Cluster Deployment Requirements and Guidelines. If the problem is with routing between client and external load balancer and cannot be controlled, it may be necessary to direct affected users to a specific PAM cluster member, or provide them with a separate VIP that implements priority load balancing, so that all connections will go to the highest priority PAM server that's available.