000033829 - Users from an external identity source are listed as disabled in the RSA Authentication Manager 8.x Security Console

Document created by RSA Customer Support Employee on Aug 29, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033829
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
IssueAdministrators are unable to manage LDAP users, including token assignments, as the users are in a disabled state, shown here:
User-added image
CauseThe account that is being used to bind to the external identity source does not have full read permissions on the user accounts.  As a result, Authentication Manager is unable to read the userAccountControl field from the external identity source.  This setting flags whether the user account is disabled or not.
As Authentication Manager cannot determine if the account is enabled or not, for security reasons, it will interpret that the account is disabled.
ResolutionTo resolve this issue,
  1. Update the service account with a user that has domain admin permission to bind to the identity source.
  2. Ensure that the Directory User ID configured to bind to the LDAP directory in the Operations Console has read permissions for all user account controls in the LDAP branch that has been specified.
  3. From the Operations Console, 
    1. Navigate to Deployment Configuration > Identity Sources > Manage Existing.  
    2. Click on the context arrow next to the external identity source in question and click Edit.
    3. Update the Directory User ID field to a user that has appropriate domain permissions.