000011632 - Unable to add or manage user in RSA Authentication Manager; getting the error:  The specified ID is already in use by unresolveable user within this realm

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011632
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 7.1 SP4, 8.x
 
IssueWhen an RSA administrator tries to manage a user (for example, when assigning a token), one the following errors display:
The specified ID is already in use by an unresolvable user within this realm

The specified ID is already in use by un-resolvable user within this realm

Principal with userid already exists in the realm: <username>

Cannot add or manage a user with user ID <UserID>. User IDs must be unique within a deployment. 
This user ID is already in use.

Account is locked out of emergency authentication Error 
This is a read only external LDAP identity Source read-only


 
ResolutionThere could be multiple reasons for these errors to display.
  1. There are multiple entries for the same user in different identity sources.  To check this, run a search for the specific user ID across all identity sources:
    1. Login to to the Security Console.
    2. Select Identity > Users > Manage Existing.
    3. Under Search Criteria, click on Search for users across all identity sources.
    4. Enter the user ID and run the search.
    5. If you get multiple results for the same user, delete all of them except for the required user entry.
  2. An issue with an unresolvable user in the LDAP.  To check this, 
    1. Generate a report of Users and Groups No Longer in Identity Source (Reporting > Reports > Add New > Users and Groups No Longer in Identity Source), selecting the correct external identity source when configuring the report. 
    2. Confirm the users listed in the report. 
    3. If using RSA SecurID Appliance 3.0 SP4, select Setup > Identity Sources > Clean Up Unresolvable Users.
    4. If using RSA SecurID Appliance 3.0 SP2, select  Setup > General > Component Configuration.
    5. If using Authentication Manager 8.1, select Setup >  Identity SourcesClean Up Unresolvable Users.
    6. Synchronize with Identity Source field.
    7. Select Force system to delete all users and groups from the internal database that no longer exist in the external identity source.
  3. If the cleanup does not remove the unresolvable user, modify the LDAP identity source mapping to exclude the user.  If you had a user named Jane Smith in your external identity source whom you could not manage or delete, do the following:
    1. Open the Operations Console and navigate to Deployment Configuration > Identity Sources > Manage Existing.  
    2. From the drop down next to the affected identity source name, choose Edit.  
    3. Click on the Map tab.  
    4. Scroll to the Directory Configuration - Users section.
    5. Change the default search filter from what is shown here:
(&(objectClass=User)(objectcategory=person))

to this:

 

(&(objectClass=User)(objectcategory=person)(!(samAccountName=<user name>)))

where, <user name> is the name of the affected user.  For example,

 

(&(objectClass=User)(objectcategory=person)(!(samAccountName=Jane.Smith)))

  1. Redo the steps in Item 2, to run the cleanup for unresolveable users and remove or clean up any entries for Jane Smith that you could not remove before.  When done, remove the filter in your LDAP map, changing it back to:
(&(objectClass=User)(objectcategory=person))
Legacy Article IDa54426

Attachments

    Outcomes