000016903 - Administrators fail to logon to the RSA Security Console

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016903
Applies ToRSA Authentication Manager 8.1
Identity Source
RSA Security Console
IssueAdministrators fail to logon to the RSA Security Console with an LDAP password
Administrators can logon to the RSA Security Console where a token is assigned to the administrator

Authentication Error


Your logon information is incorrect. Correct your logon information and try again, or contact the help desk or your administrator.

Resolution

The user is residing in the RSA Authentication Manager database where the User ID appears not to have changed however it is possible that some other identifying data is referencing the user that is no longer available since the change made in the directory server.


 


Below are steps to flush the user from RSA Authentication Manager and map it back with correct identifiers.


 


NOTE: the user will be removed from RSA Authentication Manager v8.1 and will lose any token assignment(s) and/or administration role(s).


 



  

1.


  

  

Ensure you have made a note on the token(s) and administrative role(s) assigned to the user.


  

 


  

     

 


     

View All Administrative Roles Assigned to an Administrator


     

 


     

You can view all the administrative roles that are assigned to a user. This allows you to identify the types of administrative tasks that the user can perform.


     

 


     

Procedure


     

 


     

1.     In the Security Console, click Identity > Users > Manage Existing.

       


     

2.     Use the search fields to find the appropriate administrator. Some fields may be case sensitive.

       


     

3.     Click the administrator, and select Administrative Roles.


     

 


     

View All Tokens Assigned to a User


     

 


     

Use this procedure to view all tokens assigned to a specific user.


     

 


     

Before You Begin; You can only view users and tokens assigned to security domains within the scope of your administrative role.


     

 


     

Procedure


     

 


     

1. In the Security Console, click Identity > Users > Manage Existing.

       


     

2. Use the search fields to find the user whose tokens you want to view.

       


     

3. From the search results, click the user whose tokens you want to view.


     

 


     

4. From the context menu, click SecurID Tokens.

       


     

5. To view details of a specific token, click the token that you want to view, and select View from the context menu.

       


     

 


     

  

 


  

 


  

  

2.


  

  

To remove a single user from the identity source mapping found in the RSA Operations Console an administrator  would change the ?Directory Configuration- Users? filter from (&(objectClass=User)(objectcategory=person)) to (&(objectClass=User)(objectcategory=person)(!(samAccountName=<samAccountName>)))


  

 


  

NOTE: substitute <samAccountName> with the actual samAccountName of the user


  

 


  

Logon to the primary RSA Operations Console > Deployment Configuration > Identity Sources > Manage Existing ? select the Identity Source Name (left-click the mouse) > Edit > click the Map tab > change the Search Filter in the Directory Configuration- Users section.


  

 


  

Save and Finish and confirm the Change.


  

 


  

  

3.


  

  

After saving the change to the filter and confirming the change, an administrator would logon to the RSA Security Console and select Setup > Identity Sources > Clean Up Unresolvable Users ? select the Identity Source and uncheck the Grace Period > Next


  

 


  

This should find the User ID of the user that is no longer included in the identity source mapping and an administrator can then select the Clean Up Now button to remove this item (user) found.


  

 


  

  

4.


  

  

To ensure the user is made available to the RSA Authentication Manager an administrator would change the ?Directory Configuration- Users? filter back to the default (&(objectClass=User)(objectcategory=person)).


  

 


  

Logon to the primary RSA Operations Console > Deployment Configuration > Identity Sources > Manage Existing ? select the Identity Source Name (left-click the mouse) > Edit > click the Map tab > change the Search Filter in the Directory Configuration- Users section.


  

 


  

  

5.


  

  

Now, assign the user any previously assigned Administrative Roles (e.g. SuperAdminRole) and assign back any previously assigned token(s).


  

 


  

     

All Help Topics


     

 


     

Use the RSA Security Console > Help >All Help Topics and a search of ?assign tokens? to list a number of results on assigning tokens to users. Change the search to ?assign administrative roles? for listing a number of results on administrative roles.


     

 


     

  

 


  

 


  

 


 

WorkaroundThe user in the directory server was moved outside of the configured user base distinguished name (DN) mapping of the identity source and moved back at a later time
Legacy Article IDa64320

Attachments

    Outcomes