000033333 - Fail to authenticate to restricted agents with users in Active Directory in Authentication Manager 8.1

Document created by RSA Customer Support Employee on Jun 21, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000033333
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 or later
  • Authentication to restricted agents with users in AD is failing with the following error:
Principal does not belong to any groups activated on restricted agent

  • The system activity monitor shows a failure to read the identity source group:
User-added image

  • Granting access to some groups via Access > Authentication Agents > Manage Existing then selecting the Restricted tab then choose to Grant Access to More User Groups > select group(s) and get error as below: 
There was a problem processing your request. 

The identity source association of the user group <group_name> has changed. Run the Scheduled Identity Source cleanup job to update the User Group association. You must re-configure the group data related to Authentication Manager, for example access to restricted agents, restricted access times and notes.

User-added image


  • Test connections in Operations Console are all successful 
  • Running Clean Up Unresolvable Users or restarting services doesn't help . 
CauseThere was a change in domain controllers, but the cause of the error is unknown.
  1. In Security Console navigate to Setup > Identity Sources > Schedule Cleanup.  
  2. Click the Schedule Cleanup checkbox and set the Run Time for the job.  
  3. When done, click Save.
  4. Navigate to Administration > Batch Job to check that the batch job is complete. 
  5. Select user groups to grant access to the restricted authentication agents.  Select Access > Authentication Agents > Manage Existing. 
  6. Click the Restricted tab and select Grant Access to More User Groups from the Action Menu.
  7. Search and select group(s) then click Grant Access to User Groups.