This is the correct behavior where an external identity source, such as Active Directory or SunONE Directory Server, is being used and a user was been deleted by the directory server administrator while they still had a token assigned to them.

Authentication Manager will only be aware that a user has been deleted when it queries the identity source and is informed that the user no longer exists.  At this point the software will display the token details as <UNKNOWN>.

It is possible to manually unassign the token where needed on an individual basis; however you may also configure a background task to run once a day to check through your entire system and reset any records that it finds in thi state.
 

Depending on the size of your database and external identity source, think about scheduling this process to run overnight.

Cleanup options

Running automatically

1. Select Setup > Identity Sources > Schedule Cleanup.  
2. Enable the task.
3. At the prompts, set the time, date and frequency for the cleanup to be run.

One-time cleanup

You can also run a one-time cleanup.  From the Security Console,

1. Select Setup > Identity Sources > Cleanup Unresolvable Users. 
2. This page has a preview to see what the system thinks needs to be cleaned up.  You can check the list and ensure all the user IDs that appear are explained; for example, that the user doesn't need a token assigned to them anymore, etc.).
3. This job will clean up all those records where the user with a token has been deleted from the external identity source, but still has a reference (and an assigned token) in Authentication Manager.

 
You can also go to Administration > Batch Jobs to see a history of when the last time the job ran as well.

For full details on the cleanup process, see the help menu in the Security Console.