000015037 - Cannot assign a token to users in RSA Authentication Manager 7.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000015037
Applies ToSecurID Appliance 3.0
2003 Server SP2
IssueCannot assign a token to users in RSA Authentication Manager 7.1
 When trying to assign a token to user and error message "Principal with userid already exists in the realm: username" appears.
Error: "Principal with userid already exists in the realm: username"

This can happen when changes are made in Active Directory and the internal database still has references to old objects and thus causes the conflict.

Duplicate user.  Either User was migrated in before Identity source was created, or user was added twice to two different databases, e.g. two Identity Sources or 1 Identity source and the Internal Database

1. On security console, run the report based on 'Users and User Groups Missing From Identity Source'. Select Active Directory as Identity Source.  This report will show lost identity source objects.  Make sure that any users that shouldn't be deleted don't show up. If a large number do show up, you need to fix your Identity Sources.

To clean the objects with lost identity, perform the following steps:

1) First, verify that all your identity sources are currently linked to a realm, otherwise the cleanup job will delete all token relationships from all users in identity sources that are not linked to a realm.

2) Second, make a backup of the database using Operations Console.

3) The cleanup job is run by Security console, Setup --> component configuration --> general --> Synchronize with Identity Sources

4) when you check this, you get to choose then the cleanup job is run. You should run this once, (say, 5 minutes in the future) and then turn it off afterward (lest it remove users in the future you don't want removed).


See also Principal with userid already exists in the realm

PDF with specific LDAP filter for the userID if Clean-up cannot find.  This happens when userID gets a new GUID, as when they are deleted then re-created in AD
Legacy Article IDa48936