000013078 - Appliance 3.0/AM 7.1 - no longer able to authenticate external identity source user tokens after administrator binddn password changed in AD

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013078
Applies ToSecurID Appliance 3.0
AM 7.1
IssueAppliance 3.0/AM 7.1 - no longer able to authenticate external identity source user tokens after administrator binddn password changed in AD
An AD identity source is in use.  The identity source bind password was changed in AD.  After going into the operations console and correcting the binddn password, all users can again be seen, but all tokens that were previously assigned to the users in that identity source are not working.  When deleting and attempting to reassign the token, the operation is not allowed in the security console
Resolution

To correct the problem:

First, run the "Missing from Identity source report to isolate which users are currently being affected:

Reporting->Reports->Add New

Scroll and select to run the "Users and user groups missing from Identity Source" report.

Authentication Manager 7.1 keeps track of users in LDAP by the DN first and an external GUID second. If a user is moved outside of scope as created, what the report will show is what users contain the orphaned references.

Once that is done, this report needs to be reviewed carefully.

Once you understand which users will be affected, you can run a job to delete the orphaned references through the security console:

Setup -> Component configuration -> General
Check "Force system to delete all users and groups from the internal database that no longer exist in the external identity source"

Schedule the job to run.  If running adhoc, have the job expire the same day. 

Once this job completes, you will be able to reassign the lost tokens.

 

NotesWhen a user is changed outside of scope as created, an orphaned reference will exist in the internal database.  It is that reference that must be deleted.
If using an AD external identity source in read only mode, you only need read rights to bind to AD.  It is not necessary to use the administrator account.  The AD binddn should be a fixed account that is set to never expire.  Do not change this ead only bind account password.
Legacy Article IDa48801

Attachments

    Outcomes