000014104 - Principal with userid already exists in the realm

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014104
Applies ToRSA Authentication Manager 7.1
IssuePrincipal with userid already exists in the realm:jsmith
Error during addition or registration of user: the userid already exists in the realm
Duplicate user
Cause

This error message is displayed in situations where RSA Authentication Manager (AM71) recognizes that there is a clash in userid values in the system.  This can occur in a number of different ways and depending on the specific situation there are a variety of alternatives.  Here are a few commonly seen examples of how this problem can occur (although not specified here all the examples are specific to a single realm configuration):



A user existed in one LDAP identity source
They were assigned a token (or some other SecurID data)
The LDAP administrator deleted them from the LDAP identity source but nothing was done on AM71
A user is created with similar details on a different LDAP identity source
The AM71 administrator attempts to assign a token to this new user


A user existed in one LDAP identity source
They were assigned a token (or some other SecurID data)
The LDAP administrator deleted them from the LDAP identity source but nothing was done on AM71
A user is recreated with similar details in the same LDAP identity source
The AM71 administrator attempts to assign a token to this new user


A user exists in one LDAP identity source
A similar user exists in a second LDAP identity source
The AM71 administrator attempts to assign a token to either of the two users
A user exists in one LDAP identity source
The AM71 administrator attempts to create a user in the internal database with similar details


A user exists in the AM71 internal database and has a token assigned
A user with similar details is added to an LDAP identity source
The AM71 administrator attempts to assign this second user a token


A user exists in the AM71 internal database and has a token assigned
An LDAP identity source is added and contains a user with similar details
The AM71 administrator attempts to assign this second user a token


An user in an external identity source is assigned a token in AM71
The LDAP administrator needs to move the user to a different part of the LDAP tree (although still within scope for the identity source configuration) but instead of moving the user they delete the old record and create a new record.



In all the above examples, the problem will occur where the user either exists or is being created in more than one single identity source; standard LDAP administration does not allow duplicate users within a single system but there is no way avoid the potential issue when accessing multiple sources (note that this can include the internal database).


This is not an actual error or fault with RSA Authentication Manager 7.1, the system is doing exactly as intended and is stopping potential security issues where, unknowingly, an administrator may give a restricted privilege to the wrong user. 

ResolutionPDF with specific LDAP filter for the userID if Clean-up cannot find.  This happens when userID gets a new GUID, as when they are deleted then re-created in AD
https://knowledge.rsasecurity.com/patches/attach/a54426.pdf
 

Depending on the particular circumstances there are a number of ways to address this type of issue.


Manually change the userids
The simplest is that the administrator might arrange to alter the userid for one of the two users (maybe if they were adding a second employee there might already be a general policy to handle this such as "jsmith", "jsmith1" "jsmith2" etc.


Map users with email addresses
A second possibility is that you might add the LDAP identity sources in and choose a different mapping for the userids by selecting to use email address values to represent the users, in this scenario it would be extremely unlikely for LDAP users to have the same email address except in a test environment


Allow duplicate userids  (note: this is relevant for administrative logins, not for agent authentications)
You may set a flag in AM71 to allow duplicate userid values.  This is done in the Security Console under Setup>Authentication Methods and enabling the Non-Unique User IDs checkbox.  This allows the duplicate userids and the AM71 administrator will be able to administer and assign tokens in the usual way but at the point when the individual users actually authenticate you will still needs some way to differentiate between the two users (use if logon aliases may be used here, see solution a41718 for details on how to set these up)


Fix a wrongly created user
This is actually still just manual intervention; but in some cases it will not be obvious why the duplicate user exists.  From the Security Console select User>Manage Existing, click on the option for Search for users across all identity sources, now search for a user with a User ID of "jsmith".  You should see the listed details in all the available identity sources for the user and then you are able to take the appropriate action for the user.


Run the background task to 'Synchronize with Identity Sources'
This task can be found under Setup>Component Configuration>General and will remove any records of users who no longer exist in an external identity source (such as Microsoft Active Directory) but where RSA Authentication Manager still had a record (such as a token assignment).  Make a database backup before running this cleanup job, in case it deletes information you do not want deleted. 


SP4 updated information
SP4 has different options for this than previous versions.  From the Security Console :    
Setup > Identity Sources > Clean Up Unresolvable Users    
and   
Setup > Identity Sources > Schedule Cleanup   


the second option is more thorough, but requires knowing the time on the Primary, and setting the cleanup to happen in the future.


See also  Principal with userid already exists in the realm
Legacy Article IDa41797

Attachments

    Outcomes