• Principal does not possess one or more authenticators
• No aliases found, unable to resolve principal by alias
• Unable to resolve principal by login ID and/or alias
• Unable to resolve login by user id and/or alias, or authenticator not assigned to user
• This user ID is already in use by an unresolvable user in this realm

In the following example,

• There is an Authentication Manager user named Jay Guillette.
• Jay's user ID of jguillette exists in the external identity source named IS1 and has a token assigned to him.  
• Jay's user ID of AdminGuill exists in external identity source named IS2 and does not have a token assigned.  This account must be unregistered in Authentication Manager, which means it has never had token assigned to it.  See article here for solutions.
• Jay wants to be able to use the same token whether he authenticates as jguillette or as AdminGuill.

Prerequisite

If no user groups exist, first create an internal group or use an external LDAP group.  From the Security Console select Identity > User Groups > Add New. Now  add both the jguillette and AdminGuill user IDs to this group.

You will need to have a user group to assign to the user before continuing  If authentication is through a RADIUS client, also create a RADIUS profile.

1. Login to the Security Console.
2. Navigate to Identity > Users > Manage Existing.
3. Set the Search Criteria for Identity Source to IS1 where User ID contains jguillette.
4. In the User ID column, click on Jay's user ID and from the menu choose Authentication Settings.
5. In the Authentication Settings section,
   1. For the option of User Authenticates With, select Default User ID, or any of the following aliases.
   2. Select a user group from the list.
   3. In the User ID field, add the logon alias of AdminGuill.  
   4. If authenticating with RADIUS, be sure to add a RADIUS profile value.
   5. Click Add.
   6. Click Save when done.
6. Go back to Identity > Users > Manage Existing.
7. Set the Search Criteria for Identity Source to IS2 where User ID contains AdminGuill
8. In the User ID column, click on Jay's user ID and from the menu choose Authentication Settings.
9. In the Authentication Settings section,
   1. For the option of User Authenticates With, select Only the following aliases.  See screenshot below
   2. Select a user group from the list.
   3. In the User ID field, add the logon alias for jguillette, e.g. AdminGuill.  
   4. If authenticating with RADIUS, be sure to add a RADIUS profile value.
   5. Click Add.
   6. Click Save.

10. Navigate to Access > Authentication Agents > Manage Existing.
11. Depending on the agent, click the Restricted or Unrestricted tab.
12. Use the search fields to find the agent to which you want to enable logon aliases.
13. Select the checkbox next to the agent to which you want to enable logon aliases.
14. Do one of the following:
    • For restricted agents, select Grant Access to User Groups from the Action Menu and click Go.
    • For unrestricted agents, select Enable Logon Aliases from the Action Menu and click Go.
15. Use the search fields to find the user groups to which you want to enable logon aliases.
16. Select the checkbox next to the user group to which you want to enable logon aliases.
17. Do one of the following:
    • For restricted agents, click Grant Access to User Groups.
    • For unrestricted agents, select Enable Logon Aliases with User Groups.
18. Test authentication as both jguillette and as AdminGuill using the same token.  

When testing, be sure to wait for the tokencode to roll to the next one before the second authentication so you don't get a passcode reuse attack error in the authentication activity monitor.

RSA strongly recommends that you do not allow users to share the same token. It is a poor security practice as it negates non-repudiation.