Symantec Privileged Access Management

  • Private Community
 View Only

  • 1.  PAM-CM-1209: Not permitted to login from here

    Posted Jul 15, 2019 12:14 PM
    Has anyone encountered the following error before: "PAM-CM-1209: Not permitted to login from here"

    We are seeing it when attempting to on-board a Windows domain account. We've on-boarded several other Windows domain accounts successfully in this particular implementation. We've checked for some common on-boarding issues, but no luck so far. Never seen this particular error message before. Any thoughts as to common causes?

    ------------------------------
    Ramona Balke
    ------------------------------


  • 2.  RE: PAM-CM-1209: Not permitted to login from here
    Best Answer

    Broadcom Employee
    Posted Jul 16, 2019 12:59 AM

    Hello Ramona,

     

    See if you have set any IP or Access Time restrictions on the user or the User Group in CA PAM.

     

    Please see also the documentation for further details

    https://docops.ca.com/ca-privileged-access-manager/3-3/EN/implementing/configure-policies-to-provision-user-access-to-devices-and-applications/configure-users/configure-user-groups#ConfigureUserGroups-UsetheUITemplatetoCreateaGroup.

     

    Best Regards,

    Andreas Müller




    Original Message


  • 3.  RE: PAM-CM-1209: Not permitted to login from here

    Broadcom Employee
    Posted Jul 16, 2019 10:17 AM
    Ramona,

    This may not be a PAM issue at all.  I am not sure what triggers that particular message, but it could simply be that there are restrictions on that account in Active Directory.  During the onboarding of an account, PAM actually logs in with that account via LDAP to verify the password.  It's possible that a restriction in AD is preventing that account from logging in via LDAP, or it has time/site restrictions.

    Joe
    Original Message