000029788 - Unable to unassign RSA SecurID token or assign token to another user in RSA Authentication Manager Security Console

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Dec 11, 2019
Version 4Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000029788
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
IssueAn RSA administrator is unable to unassign a token from a user or reassign the token to a new user due to the following error:
 


There was a problem processing your request. 


Cannot add or manage a user with user ID com.rsa.common.InvalidArgumentException: Duplicate user ID. User IDs must be unique within an identity source. This user ID is already in use by a user in this identity source.
 


Unassign failure in GUI
 

Token details show the token is assigned to <Unknown>. The user to whom the token was previously assigned was a user in the external identity source who no longer exists.  The token showing as assigned to the <unknown>user happens when the user is deleted from the external identity source before her token was unassigned.  
 
Report output


To avoid this error, admins for the external identity source should always advise RSA admins when users are being deleted from the external identity source so the RSA admin can unassign the token from the end user before she is deleted.

Actions performed



  1. From the Operations Console, selected Deployment Configuration > Identity Sources > Manage Existing.
  2. Select the identity source in which the user lives and click the arrow next to the identity source name.  Choose Edit.
  3. Click on the Map tab.
  4. Scroll to the section heading labeled Directory Configuration - Users
  5. Edit the search filter to block the problem user ID using the following filter:  

(&(objectClass=User)(objectcategory=person)(!(samaccountname=userid)))

where userid is the user who is no longer in the external identity source. 
 

Running these steps causes a failure to search for users in the Security Console under Identity > Users > Manage Existing when defining the external identity source as the location to be searched.  Performing the manual Clean Up Unresolvable Users job in the Security Console under Setup > Identity Sources > Clean Up Unresolvable Users also does not correct the issue.
CauseThe user in the external identity source has an illegal character such as @ in the loginuid.  For example, testuser@RSA.
ResolutionTo properly resolve the issue login directly to the PostgreSQL database to manipulate the row.  
  1. First, ensure that SSH access is enabled from the Operations Console > Administration > Operating System Access > check the option to enable SSH on eth0 and click Save.  
  2. Launch an SSH client, such as PuTTY.
  3. Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.

Note that during Quick Setup another user name may have been selected. Use that user name to login.




login as: rsaadmin 
Using keyboard-interactive authentication. 
Password: <enter OS user password>
Last login: Tue Apr 7 13:47:05 2015 from xxx.xxx.xxx.xxx


  1. Navigate to /opt/rsa/am/utils.
  2. Capture the database user password by running ./rsautil manage-secrets -a get com.rsa.db.dba.password.  You will be prompted to enter the Operations Console user ID and password.  Make a note of this password.  You will need it later.


RSA Authentication Manager Installation Directory: /opt/rsa/am 
rsaadmin@testam81pri:~> <pre class="ckeditor_codeblock">
rsaadmin@ testam81pri:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba.password 
Please enter OC Administrator username: <enter Operations Console administrator user name>
Please enter OC Administrator password: <enter Operations Console administrator password>
com.rsa.db.dba.password: <the database password will display here>


  1. Navigate to ../pgsql/bin.
  2. Connect to the SQL database using the database password from step 5.


rsaadmin@ testam81pri:/opt/rsa/am/pgsql> cd ../pgsql/bin/
rsaadmin@ testam81pri:/opt/rsa/am/pgsql/bin> ./psql -h localhost -p 7050 -d db -U rsa_dba 
Password for user rsa._dba: <enter the database password captured above>


  1. From the Security Console, navigate to Authentication > SecurID Tokens > Manage Existing.  Search for any token that has been assigned to the  <unknown> userID.
  2. From the SSH session, run the following command to verify that the token is not associated with any user and then delete the orphaned user from database directly:

SELECT * FROM rsa_rep.ims_principal_data p WHERE id=(SELECT t.principal_id FROM rsa_rep.am_token t WHERE t.serial_number='<token_serial_number>');

Note that token_serial_number is a value that is keyed in based on the search of tokens done above.


  1. If any results are found, they can be deleted with the command below:

DELETE FROM rsa_rep.ims_principal_data p WHERE id=(SELECT t.principal_id FROM rsa_rep.am_token t WHere t.serial_number='<token_serial_number>');



Note that token_serial_number is a value that is keyed in based on the search of tokens done above.


For example,

db=# SELECT * FROM rsa_rep.ims_principal_data p WHERE id=(SELECT t.principal_id FROM rsa_rep.am_token t WHERE t.serial_number='000123456789');
(1 rows)

 


db=# DELETE FROM rsa_rep.ims_principal_data p WHERE id=(SELECT t.principal_id FROM rsa_rep.am_token t WHERE t.serial_number='000123456789');
DELETE 1


This should remove the problematic user from the system and allow the token to be assigned to any user.







 

Attachments

    Outcomes