A user has been onboarded to PAM from Active Directory.

However, when trying to log in to PAM by using LDAP with that user, the following error appears

PAM-CMN-0979: LDAP authentication failed for user XXX error code (49) and error string (80090308: LdapErr: DSID-0C0904AE, comment: AcceptSecurityContext error, data 52f, v3839:  Unknown)

Nevertheless the password is the correct one and user has all necessary rights

CA PAM up to version 4.3.0, possibly newer as well

80090308: LdapErr: DSID-0C0904AE, comment: AcceptSecurityContext error, data data 52f, v3839

stands for user restrictions preventing login from occurring.

This error is not coming from an incorrect username or password or credentials. As far as restrictions are concerned, the user is an Administrator and it has all necessary rights to log in, so there is no restriction as far as permissions are concerned

One of the reasons the error message is showing up is if the user one is trying to use to log in to PAM is a member of the Protected Users group

When this happens, AD is expecting kerberos to be used to log in instead of the regular ldap bind mechanism.

In CA PAM versions up to 4.3.0 no such capability exists for CA PAM login, so any login by a user which is also a member of the Protected Users group will fail to log in with that error.

Removing the users one wants to use to log in to CA PAM from such a group will allow login to proceed