000017295 - Unable to assign a token or an administrative role to a user in RSA Authentication Manager 8.x (The supplied principal DN does not map to any of the identity sources)

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000017295
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager
RSA Version/Condition:  8.x
IssueIt is confirmed that:
  • The LDAP connection test is successful in the Operations Console.
  • The User Base DN and User Group DN are both configured.
  • Users are unique in the LDAP identity sources.
  • Looking up users is successful in the Security Console.
  • The batch job named Clean Up Unresolvable Users was run and the message "No unresolvable users were found" was returned.
When trying to administer an end user's token or administrative role assignment, the system administrator encounters the following error(s) when assigning a token or an admin role:
The supplied principal DN does not map to any of the identity sources

You may get a warning as in the example below:

The specified User Base DN matches or overlaps with a User Base DN used by another identity source. Overlapping identity sources may cause problems with authentication. Verify that the Search Filter field is correctly configured and that each user can only be found in one identity source.

Reviewing the /opt/rsa/am/server/logs/imsTrace.log shows the following message:

getAttributes({[CN=<User ID>,OU=<OU Name>,OU=<OU Name>,DC=<DC Name>,DC=<DC Name>}, {[samaccountname, comment, accountExpires, givenname, initials, ObjectGUID, mail, userAccountControl, unicodepwd, objectclass, sn]} )
2014-12-30 09:45:51,327, [[ACTIVE] ExecuteThread: '21' for queue: 'weblogic.kernel.Default (self-tuning)'], (IdentitySourceAccessSQL.java:1123), trace.com.rsa.ims.admin.dal.sql.IdentitySourceAccessSQL, DEBUG, rsa-pmgt-01.gp.lcl,,,,SELECT IDENTITYSOURCE_ID, RDN_EXUID, RDN_VALUE, SECURITYDOMAIN_ID, IS_BASEDN  FROM IMS_SECURITY_DOMAIN_MAPPINGS  WHERE IDENTITYSOURCE_ID = ? AND RDN_VALUE = ?
2014-12-30 09:45:51,328, [[ACTIVE] ExecuteThread: '21' for queue: 'weblogic.kernel.Default (self-tuning)'], (IdentitySourceAccessSQL.java:1210), trace.com.rsa.ims.admin.dal.sql.IdentitySourceAccessSQL, DEBUG, rsa-pmgt-01.gp.lcl,,,,SELECT  IDENTITYSOURCE_ID, RDN_EXUID, RDN_VALUE, SECURITYDOMAIN_ID, IS_BASEDN FROM IMS_SECURITY_DOMAIN_MAPPINGS WHERE IDENTITYSOURCE_ID = ? AND IS_BASEDN = '1'
Command Exception: com.rsa.command.exception.InvalidArgumentException:  
  • The User Base DN was configured incorrectly and there are groups that overlap with another User Base DN.
  • One common overlap problem is when the identity source mapping in the Operations Console has different values for the User Base DN and User Group Base DN.  For example, the User Base DN is set to ou=AcmeRemoteUsers, dc=AcmeWidgets, dc=local, but the User Group Base DN is dc=AcmeWidgets, dc=local.  Set both of these values so that the User Group Base DN is at the top of the directory (dc=AcmeWidgets, dc=local).
  • If the user ID is in a group at the top of the tree and the same user ID is also down in the AcmeRemoteUsers organizational unit, Authentication Manager considers that to be an overlap that will cause the error that "the supplied principal DN does not map to any of the identity sources."
ResolutionCorrect the User Base DN by defining a specific OU to administer token assignments and/or administrative roles.
WorkaroundA workaround for this issue is to remove the user from the AD group in the Security Console, then quickly assign a token to the user.  The user will be restored to the group after Authentication Manager checks with the external identity source on the next LDAP sweep.
Legacy Article IDa68064