000029958 - Authentication Manager 8.1 users with same name fail authentication with the error "Principal not found" after being moved in an external identity source

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000029958
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1
IssueSymptom: Authentication failures with "Principal not found" after users with same name, e.g., Aaron Smith, get moved in AD.

notfound
Replication will also break when this happens, see KB 000029638
,
Replica attaches but replication fails FATAL: terminating connection due to administrator command ,,,failed to apply change [table] ims_principal_data Last Applied Chgset Id: 52214 Last Received (from replica) ERROR: duplicate key value violates unique constraint...already exists. Authentication Failures with Principal Not Found 
CauseUsers with same name, same Common Name (CN) but different Distinguished Names (DN) because they are in different OUs in same LDAP, they both work fine until first one is renamed and the other moved into first one's ou (on the same day).
Start:
User 1 = CN=Aaron Smith, ou=AT,dc=vcloud,dc=local
DN= CN=Aaron Smith,OU=AT,OU=vcloud Users,DC=2k8r2-vcloud,DC=local
User 2 = CN=Aaron Smith, AU=AU,dc=vcloud,dc=local
                                                DN= CN=Aaron Smith,OU=AU,OU=vcloud Users,DC=2k8r2-vcloud,DC=local
 
I assigned Fixed Passcodes so Users would be registered in Authentication Manager, and I logged into SSC to change Fixed PassCode, but did not answer security questions.
2Aarons
First Step [Right Click]rename [OK] user 1 in AD:
User 1 = CN= Aaron A. Jones, ou=AT,dc=vcloud,dc=local
                                                DN= CN=Aaron A. Smith,OU=AT,OU=vcloud Users,DC=2k8r2-vcloud,DC=local
User 2 = CN=Aaron Smith, ou=AU,dc=vcloud,dc=local
                                                DN= CN=Aaron Smith,OU=AU,OU=vcloud Users,DC=2k8r2-vcloud,DC=local
 
Second step move User 2 who now has the DN that user 1 had at the beginning.
ldap
-----------------------------
AaronA

User 1 = CN= Aaron A. Smith, ou=AT,dc=vcloud,dc=local

                                                DN= CN=Aaron A. Smith,OU=AT,OU=vcloud Users,DC=2k8r2-vcloud,DC=local
User 2 = CN=Aaron Smith, ou=AT,dc=vcloud,dc=local
                                                DN= CN=Aaron Smith,OU=AT,OU=vcloud Users,DC=2k8r2-vcloud,DC=local
Login as ASmithAU 1st, fails
notfound
Try login as ASmithAT,  same error.
work-around, rename the guy moving not the guy staying
Resolution1. Modify the external LDAP Identity Source user filter under the MAP tab to filter out this user, jguillette, by adding a NOT jguillette samaccountname

     (!(samAccountName=jguillette)

to the default, current user search filter of 

     (objectClass=User)(objectcategory=person)

usersearch

So that you have

      (&(objectClass=User)(objectcategory=person)(!(samAccountName=jguillette))) 

NOT

2. Run a Cleanup job on the Security Console - Setup - Identity sources



3. Remove the NOT jguillette samaccountname part of the user search filter, and change back to your default, e.g.      (objectClass=User)(objectcategory=person)
WorkaroundIf I rename the Guy you move (User2) instead of the Guy who stays (User1) You did not get the duplicate user problem, just a warning in the Security Console that it’s a read only Identity Source.  The two users will never have had the same DN.
Or wait a day between renaming the first user and moving the second user into the same ou, that way the Clean -up can allow AM to learn the change to the first users's DN

Attachments

    Outcomes