|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1
|Issue||The Token Expiration Report hangs and does not complete.|
The List All User report takes a long time and does not complete.
Listing user groups in the Security Console gives error:
There was a problem processing your request.
Unexpected error during command com.rsa.admin.PagedSearchGroupsCommand execution."
Error : Batch entry 5 INSERT INTO AM_REPORT_TKN_EXP
Error : Batch entry 263 INSERT INTO AM_REPORT_TKN_EXP (REPORT_ID.
The token expiration report fails with a duplicate users error:
Error : Batch entry 263 INSERT INTO AM_REPORT_TKN_EXP (REPORT_ID, IDX, LOGINUID, FIRST_NAME, LAST_NAME, EMAIL, ACCOUNT_ENABLED, HAS_STATIC_PASSWORD, USER_ID_SOURCE, USER_SECURITY_DOMAIN, USER_LAST_UPDATED_ON, SERIAL_NUMBER, TOKEN_TYPE, IS_TOKEN_LOST, IMPORTED_ON, TOKEN_SHUTDOWN_DATE, TOKEN_TERM, ALGORITHM, IS_PINLESS, REPLACEMENT_STATUS, TOKEN_CODE_LENGTH, TOKEN_ENABLED, EA_MODE_TYPE, LAST_TFT_AUTH, TOKEN_SECURITY_DOMAIN, TOKEN_ASSIGNMENT_DATE, LAST_LOGIN_DATE, USER_GROUP, GROUP_DOMAIN_ID) VALUES ('1debae2e790b19ac1caa81594bd80c2b','263','jsnow','Snow','John','firstname.lastname@example.org','Yes','FALSE','Sync with HQ','SystemDomain','2014-06-19 11:35:28','000123456789','SecurID Software Token','FALSE','','2014-09-29 17:00:00','38 months','AES-TIME','FALSE','No Replacement','8','Yes','','2014-08-19 20:55:37','SystemDomain','2012-06-20 12:19:40','2014-08-19 20:55:37','admin, 295951, Citrix, Citrix-Support, HomeFolder_WINTERFELL, PCSupport, _SK, VDI_View_U...
A simple workaround is to use the Users with Token report and filtering for the token expiration time. Be careful not to select account expiration. Also the default is Last, so if you are looking for users with tokens that expire in next 90 days, be sure to change that or you may end up with empty reports or unexpected results
Open the Operations Console and navigate to Deployment Configuration > Identity Source > Mapping. Uncheck the box to Enable the use of the MemberOf attribute. Customers have confirmed that unchecking the box resolves the issue. Unchecking the option to use the MemberOf attribute switches from using memberOf, to using the member attribute.
|Notes||This issue has been reported in defect AM-28040 and it is resolved in Authentication Manager 8.1 patch 4, scheduled for release in September 2014.|
Patch 4 includes a partial fix for AM-28040. A more complete fix (AM-28656) is expected in early 2015.
In its simplest implementation, round-robin DNS works by responding to DNS requests not only with a single IP address, but a list of IP addresses of several servers that host identical services. The order in which IP addresses from the list are returned is the basis for the term round robin. RSA Identity Source should be configured with an IP address of a single domain controller, and not for a round-robin DNS name, or a directory load balancer. The IP address belonging round robin DNS cannot be used in identity source connection configuration.
|Legacy Article ID||a66828|