000031233 - Default Token Policy change prompts every user to change their PIN in RSA Authentication Manager

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000031233
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.x
O/S Version: Suse Linux Entprise Server 11 SP3
IssueWhen default token policy is changed, all users assigned to Security Domain(s) are immediately assigned the new Token Policy, causing users in the Security Domain(s) to change their PINs the next time they authenticate.
If you edit a Token policy and check the box to make this policy the Default Policy, it changes the token policy configured within the Security Domain(s) to this "Default Policy".
Procedure to set Default Policy
1. In the Security Console, click Authentication > Policies > Token Policies > Manage Existing.
2. From the context menu of the chosen token policy, click Edit.
3. For Default Policy, select checkbox next to Set as default SecurID token policy as below
User-added image
4. Click Save.
ResolutionLet's say you have a required PIN minimum length of 4 digits in your Default Token Policy called "Initial Token Policy" and of 6 digits in another token policy called "Test Token Policy".
Now a Security Domain TestDomain has a token policy "Initial Token Policy". 
User-added image
TestDomain has Policies configured with SecurID Token Policy "Always Use Default"
User-added image
Later you change the default policy to "Test Token Policy".
User-added image
Once you saved the default token policy change, TestDomain will have a token policy "Test Token Policy" effectively and all users in TestDomain will be challenged to set a new PIN if they have 4-digit PIN.
This is functioning as designed.
To avoid any unexpected results from the default policy change, use a custom policy instead of "Always Use Default" when you add a new Security Domain.
Procedure to assign a custom token policy to a Security Domain 

1. In the Security Console, click Administration > Security Domains > Add New.
2. In the Security Domain Name field, enter a unique name. 
3. From the SecurID Token Policy drop-down list, assign a SecurID token policy to the security domain. 
4. Click Save.
User-added image
See "Security Domains and Policies" in AM8.1 Administrator's guide for further details.