000014605 - Unable to unlink or edit a missing/dead identity source that authenticates to global catalog (GC) from a realm in RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Apr 16, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000014605
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition:  8.x
Issue
  • One identity source that authenticates to a global catalog died and is never coming back online.  This identity source needs to be unlinked and deleted from the realm.  The following error displays when trying to unlink the missing identity source that authenticates to a GC:

One or more of the identity sources that use the runtime identity source as a referral are not part of the realm.
 


  • The following error displays when trying to list tokens:

identity source unable to connect detail


  • The domain controller died, and it cannot be unlinked from a realm
  • Unable to edit the identity source Map page because the actual machine is unavailable.
CauseYou cannot unlink just one identity source from the realm.  You can only unlink all of them that authenticate to the same global catalog.
Resolution

You need to edit the missing identity source then go to the Map page and deselect Authenticate users to a global catalog.but if the machine is dead or otherwise unreachable, it won't let you make any of the changes, so you need to fake-out the Operations Console by completing the steps below:  



  1. Login to the Operations Console and select Deployment Configuration > Identity Source > Manage Existing.   
  2. From the drop down for the identity source, choose Edit.
  3. Change the Directory URL to point to an actual existing and reachable identity source. It can be one of the other ones you currently use, as long as the machine is up and reachable.
    1. Now, go to the Map tab, and  deselect the option to Authenticate users to a global catalog.
    2. Click Save when done.
  4. Login to Security Console and navigate Setup > Identity Sources > Link Identity Source to System.
  5. Highlight the correct identity source on the right Linked box and using the arrow keys, move it to the Available box.
  6. Click Save when done. 
  7. Now you should be able to list tokens.
  8. To delete the identity source for good, run a cleanup job via the Security Console

  • For Authentication Manager 7.1 navigate to Setup > Component Configuration > General > Synchronize with Identity Sources.
  • For Authentication Manager 8.x navigate to Setup > Identity Sources > Cleanup Unresolvable Users.

  1. Finally, you can delete the identity source from the Operations Console.
Notes

Simple example scenario



  • DC1 is an identity source that is the GC.
  • DC2 is an identity source that authenticates to DC1.
  • DC3 is an identity source that authenticates to DC1.
  • DC1, DC2 and DC3 are linked to the same realm.
  • DC2 dies and the decision is made to just forget about it and get rid of it.

In the scenario above you cannot list tokens and you cannot unlink just DC2 to get ready to delete it. You are stuck trying to unlink DC2 to clean up this situation so you can get back to managing users and tokens normally.

Legacy Article IDa46615

Attachments

    Outcomes