diff --git a/internal/services/pam/pam_test.go b/internal/services/pam/pam_test.go
index e85dcad65..067397b3f 100644
--- a/internal/services/pam/pam_test.go
+++ b/internal/services/pam/pam_test.go
@@ -192,6 +192,7 @@ func TestSelectBroker(t *testing.T) {
 		brokerID    string
 		username    string
 		sessionMode string
+		existingDB  string
 
 		currentUserNotRoot bool
 
@@ -208,13 +209,23 @@ func TestSelectBroker(t *testing.T) {
 		"Error_when_broker_does_not_exist":                {username: "no broker", brokerID: "does not exist", wantErr: true},
 		"Error_when_broker_does_not_provide_a_session_ID": {username: "NS_no_id", wantErr: true},
 		"Error_when_starting_the_session":                 {username: "NS_error", wantErr: true},
+		"Error_when_user_is_disabled":                     {username: "disabled", wantErr: true, existingDB: "cache-with-disabled-user.db"},
 	}
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 
+			cacheDir := t.TempDir()
+			if tc.existingDB != "" {
+				cache.Z_ForTests_CreateDBFromYAML(t, filepath.Join(testutils.TestFamilyPath(t), tc.existingDB), cacheDir)
+			}
+
+			m, err := users.NewManager(users.DefaultConfig, cacheDir)
+			require.NoError(t, err, "Setup: could not create user manager")
+			t.Cleanup(func() { _ = m.Stop() })
+
 			pm := newPermissionManager(t, tc.currentUserNotRoot)
-			client := newPamClient(t, nil, globalBrokerManager, &pm)
+			client := newPamClient(t, m, globalBrokerManager, &pm)
 
 			switch tc.brokerID {
 			case "":
diff --git a/internal/services/pam/testdata/TestSelectBroker/cache-with-disabled-user.db b/internal/services/pam/testdata/TestSelectBroker/cache-with-disabled-user.db
new file mode 100644
index 000000000..1bc5435ee
--- /dev/null
+++ b/internal/services/pam/testdata/TestSelectBroker/cache-with-disabled-user.db
@@ -0,0 +1,16 @@
+GroupByID:
+    "11111": '{"Name":"group1","GID":11111,"UGID":"12345678"}'
+GroupByName:
+    group1: '{"Name":"group1","GID":11111,"UGID":"12345678"}'
+GroupByUGID:
+    "12345678": '{"Name":"group1","GID":11111,"UGID":"12345678"}'
+GroupToUsers:
+    "11111": '{"GID":11111,"UIDs":[1111]}'
+UserByID:
+    "1111": '{"Name":"TestSelectBroker/Error_when_user_is_disabled_separator_disabled","UID":1111,"GID":11111,"Gecos":"Disabled User gecos\nOn multiple lines","Dir":"/home/disabled","Shell":"/bin/bash","LastPwdChange":-1,"MaxPwdAge":-1,"PwdWarnPeriod":-1,"PwdInactivity":-1,"MinPwdAge":-1,"ExpirationDate":-1,"Disabled":true,"LastLogin":"AAAAATIME"}'
+UserByName:
+    "TestSelectBroker/Error_when_user_is_disabled_separator_disabled": '{"Name":"TestSelectBroker/Error_when_user_is_disabled_separator_disabled","UID":1111,"GID":11111,"Gecos":"Disabled User gecos\nOn multiple lines","Dir":"/home/disabled","Shell":"/bin/bash","LastPwdChange":-1,"MaxPwdAge":-1,"PwdWarnPeriod":-1,"PwdInactivity":-1,"MinPwdAge":-1,"ExpirationDate":-1,"Disabled":true,"LastLogin":"AAAAATIME"}'
+UserToGroups:
+    "1111": '{"UID":1111,"GIDs":[11111]}'
+UserToBroker:
+    "1111": '"broker-id"'