|Applies To||SecurID Appliance 3.0|
|Issue||Appliance 3.0/AM 7.1 - no longer able to authenticate external identity source user tokens after administrator binddn password changed in AD|
An AD identity source is in use. The identity source bind password was changed in AD. After going into the operations console and correcting the binddn password, all users can again be seen, but all tokens that were previously assigned to the users in that identity source are not working. When deleting and attempting to reassign the token, the operation is not allowed in the security console
To correct the problem:
First, run the "Missing from Identity source report to isolate which users are currently being affected:
Scroll and select to run the "Users and user groups missing from Identity Source" report.
Authentication Manager 7.1 keeps track of users in LDAP by the DN first and an external GUID second. If a user is moved outside of scope as created, what the report will show is what users contain the orphaned references.
Once that is done, this report needs to be reviewed carefully.
Once you understand which users will be affected, you can run a job to delete the orphaned references through the security console:
Setup -> Component configuration -> General
Schedule the job to run. If running adhoc, have the job expire the same day.
Once this job completes, you will be able to reassign the lost tokens.
|Notes||When a user is changed outside of scope as created, an orphaned reference will exist in the internal database. It is that reference that must be deleted.|
If using an AD external identity source in read only mode, you only need read rights to bind to AD. It is not necessary to use the administrator account. The AD binddn should be a fixed account that is set to never expire. Do not change this ead only bind account password.
|Legacy Article ID||a48801|