000014605 - AM7.1-Unable to unlink or edit a missing/dead identity source that authenticates to GC from a realm

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014605
Applies ToAD identity source that authenticates to a global catalog
IssueOne identity source [that authenticates to a global catalog] died and is never coming back online, need to unlink and delete this identity source from a realm.

Error: when trying to unlink a missing identity source [that authenticates to a global catalog] from realm: One or more of the identity sources that use the runtime identity source as a referral are not part of the realm


Cannot unlink just one identity source from realm, you can only unlink all of them that authenticate to the same GC global catalog.
Error: when trying to list tokens: identity source unable to connect detail
domain controller died, and cannot unlink it from a realm
Unable to edit an identity source map page because the actual machine is unavailable, dead, unreachable.
Resolution

You need to go to the operations console, and edit the missing identity source, and go to the map page, and deselect Authenticate users to a global catalog...

BUT...If the machine is dead or otherwise unreachable, it won't let you make any of the changes, so you need to fake-out the Operations Console by:  

1) Operations Console, edit the identity source

2) change the LDAP URL to point to an actual existing and reachable identity source. It can be one of the other ones you currently use, as long as the machine

is up and reachable.

2a) Now, go to the map page, and you can now deselect Authenticate users to a global catalog. save that.

3) Then you can go to Security Console, unlink that one identity source from the realm, save that. first problem solved

[the error when unlinking from realm: One or more of the identity sources that use the runtime identity source as a referral are not part of the realm]

3a) Now you should be able to list tokens. second problem solved

[the error when listing tokens: identity source unable to connect detail ]

4) And then, to delete this identity source for good...run a cleanup job (Security Console, setup, component configuration, general, Synchronize with Identity Sources...)

5) Finally, you can delete the identity source from Operations Console

Notes

NOTE: simple example scenario

DC1 is an identity source that is the GC

DC2 is an identity source that auths to DC1

DC3 is an identity source that auths to DC1

DC1,2 and 3 are linked to the same realm.

DC2 croaks, and the decision is made to just forget about it and get rid of it.

---------------------------------------------------------------------------------------------

Now you have these problems:

You cannot list tokens, and you cannot unlink just DC2 to get ready to delete it. You are

stuck trying to unlink this single identity source DC2 to clean up this situation so you can get back to managing users and tokens normally.

 


NOTE: this was logged by CE as FAD- Functions as Designed
Legacy Article IDa46615

Attachments

    Outcomes