000014542 - RSA Authentication Manager 8.1 token expiration report hangs and does not complete

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000014542
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition:  8.1
IssueThe Token Expiration Report hangs and does not complete.
The List All User report takes a long time and does not complete.
Listing user groups in the Security Console gives error:
 

There was a problem processing your request.
Unexpected error during command com.rsa.admin.PagedSearchGroupsCommand execution."
Error : Batch entry 5 INSERT INTO AM_REPORT_TKN_EXP
Error : Batch entry 263 INSERT INTO AM_REPORT_TKN_EXP (REPORT_ID.

The token expiration report fails with a duplicate users error:
Error : Batch entry 263 INSERT INTO AM_REPORT_TKN_EXP (REPORT_ID, IDX, LOGINUID, FIRST_NAME, LAST_NAME, EMAIL, ACCOUNT_ENABLED, HAS_STATIC_PASSWORD, USER_ID_SOURCE, USER_SECURITY_DOMAIN, USER_LAST_UPDATED_ON, SERIAL_NUMBER, TOKEN_TYPE, IS_TOKEN_LOST, IMPORTED_ON, TOKEN_SHUTDOWN_DATE, TOKEN_TERM, ALGORITHM, IS_PINLESS, REPLACEMENT_STATUS, TOKEN_CODE_LENGTH, TOKEN_ENABLED, EA_MODE_TYPE, LAST_TFT_AUTH, TOKEN_SECURITY_DOMAIN, TOKEN_ASSIGNMENT_DATE, LAST_LOGIN_DATE, USER_GROUP, GROUP_DOMAIN_ID) VALUES ('1debae2e790b19ac1caa81594bd80c2b','263','jsnow','Snow','John','john.snow@winterfell.com.com','Yes','FALSE','Sync with HQ','SystemDomain','2014-06-19 11:35:28','000123456789','SecurID Software Token','FALSE','','2014-09-29 17:00:00','38 months','AES-TIME','FALSE','No Replacement','8','Yes','','2014-08-19 20:55:37','SystemDomain','2012-06-20 12:19:40','2014-08-19 20:55:37','admin, 295951, Citrix, Citrix-Support, HomeFolder_WINTERFELL, PCSupport, _SK, VDI_View_U...
Resolution
  1. Choose either Workaround 1 or 2 then move to step 2.
  • Workaround 1

A simple workaround is to use the Users with Token report and filtering for the token expiration time.  Be careful not to select account expiration.  Also the default is Last, so if you are looking for users with tokens that expire in next 90 days, be sure to change that or you may end up with empty reports or unexpected results


  • Workaround 2
Open the Operations Console and navigate to Deployment Configuration > Identity Source > Mapping.  Uncheck the box to Enable the use of the MemberOf attribute.  Customers have confirmed that unchecking the box resolves the issue.  Unchecking the option to use the MemberOf attribute switches from using memberOf, to using the member attribute.

  • Membership Attribute. The attribute that contains the DNs of all the users and user groups that are members of a user group.
  • User MemberOf Attribute. Enables the system to resolve membership queries by using the value specified for the MemberOf attribute.
  • MemberOf Attribute. The attribute of users and user groups that contains the DNs of the user groups to which they belong.
  1. Next, modify the identity source connection configuration by changing the User Group Base DN  from dc=company,dc=net to be more detailed, such as OU=remoteusers,OU=finance,DC=company,DC=net.
  2. From the Operations Console select  Maintenance > Flush Cache > .  Choose the option to flush cache for all objects.
  3. Open the Security Console and select Reporting > Reports > Add New and run the Token Expiration Report.
NotesThis issue has been reported in defect AM-28040 and it is resolved in Authentication Manager 8.1 patch 4, scheduled for release in September 2014.
Patch 4 includes a partial fix for AM-28040.  A more complete fix (AM-28656) is expected in early 2015.
In its simplest implementation, round-robin DNS works by responding to DNS requests not only with a single IP address, but a list of IP addresses of several servers that host identical services. The order in which IP addresses from the list are returned is the basis for the term round robin. RSA Identity Source should be configured with an IP address of a single domain controller, and not for a round-robin DNS name, or a directory load balancer. The IP address belonging round robin DNS cannot be used in identity source connection configuration.
Legacy Article IDa66828

Attachments

    Outcomes