Certain users attempt to authenticate but are denied due to authentication. Users are unable to access web due to the following error displayed in a policy trace:
authentication status='account_wrong_place' authorization status='not_attempted' EXCEPTION(configuration_error): Authentication failed because of a configuration problem Last Error: Account cannot be used from this location.
The main reason this occurs is when you have certain users that are in restricted AD groups that are only allowed to logon to their current PC which is defined in your AD under account and Logon Workstation.
In troubleshooting this issue, and to identify that this is the resolution to your current issue, get a policy trace. If you see what was highlighted above, this is an indication that the user only has logon permissions to their local computer.
In Proxy authentication, the Proxy (using IWA-Direct or BCAAA ) acts as surrogate on behalf of the user. AD sees this as a device which the user is logging into because the Proxy is passing user credentials for authentication to the AD.
If the user is not able to logon to the Proxy (not literally) then the ProxySG will be unable to authenticate this user and will fail with the following error:
Last Error: Account cannot be used from this location.
To resolve this issue, you need to log into the AD and go to the users AD settings and to the Account setting and add the DNS or NetBios of the ProxySG as an authorized computer the user can access.
Or you may see something like this with IWA direct using the ProxySG Hostname.
Imported Document ID: 000014394
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.