RSA Authentication Manager 8.1 token expiration report hangs and does not complete
Originally Published: 2014-07-09
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1
Issue
The List All User report takes a long time and does not complete.
Listing user groups in the Security Console gives error:
There was a problem processing your request.
Unexpected error during command com.rsa.admin.PagedSearchGroupsCommand execution."
Error : Batch entry 5 INSERT INTO AM_REPORT_TKN_EXP
Error : Batch entry 263 INSERT INTO AM_REPORT_TKN_EXP (REPORT_ID.
Unexpected error during command com.rsa.admin.PagedSearchGroupsCommand execution."
Error : Batch entry 5 INSERT INTO AM_REPORT_TKN_EXP
Error : Batch entry 263 INSERT INTO AM_REPORT_TKN_EXP (REPORT_ID.
The token expiration report fails with a duplicate users error:
Error : Batch entry 263 INSERT INTO AM_REPORT_TKN_EXP (REPORT_ID, IDX, LOGINUID, FIRST_NAME, LAST_NAME, EMAIL, ACCOUNT_ENABLED, HAS_STATIC_PASSWORD, USER_ID_SOURCE, USER_SECURITY_DOMAIN, USER_LAST_UPDATED_ON, SERIAL_NUMBER, TOKEN_TYPE, IS_TOKEN_LOST, IMPORTED_ON, TOKEN_SHUTDOWN_DATE, TOKEN_TERM, ALGORITHM, IS_PINLESS, REPLACEMENT_STATUS, TOKEN_CODE_LENGTH, TOKEN_ENABLED, EA_MODE_TYPE, LAST_TFT_AUTH, TOKEN_SECURITY_DOMAIN, TOKEN_ASSIGNMENT_DATE, LAST_LOGIN_DATE, USER_GROUP, GROUP_DOMAIN_ID) VALUES ('1debae2e790b19ac1caa81594bd80c2b','263','jsnow','Snow','John','john.snow@winterfell.com.com','Yes','FALSE','Sync with HQ','SystemDomain','2014-06-19 11:35:28','000123456789','SecurID Software Token','FALSE','','2014-09-29 17:00:00','38 months','AES-TIME','FALSE','No Replacement','8','Yes','','2014-08-19 20:55:37','SystemDomain','2012-06-20 12:19:40','2014-08-19 20:55:37','admin, 295951, Citrix, Citrix-Support, HomeFolder_WINTERFELL, PCSupport, _SK, VDI_View_U...
Resolution
- Choose either Workaround 1 or 2 then move to step 2.
- Workaround 1
A simple workaround is to use the Users with Token report and filtering for the token expiration time. Be careful not to select account expiration. Also the default is Last, so if you are looking for users with tokens that expire in next 90 days, be sure to change that or you may end up with empty reports or unexpected results
- Workaround 2
Open the Operations Console and navigate to Deployment Configuration > Identity Source > Mapping. Uncheck the box to Enable the use of the MemberOf attribute. Customers have confirmed that unchecking the box resolves the issue. Unchecking the option to use the MemberOf attribute switches from using memberOf, to using the member attribute.
- Membership Attribute. The attribute that contains the DNs of all the users and user groups that are members of a user group.
- User MemberOf Attribute. Enables the system to resolve membership queries by using the value specified for the MemberOf attribute.
- MemberOf Attribute. The attribute of users and user groups that contains the DNs of the user groups to which they belong.
- Next, modify the identity source connection configuration by changing the User Group Base DN from dc=company,dc=net to be more detailed, such as OU=remoteusers,OU=finance,DC=company,DC=net.
- From the Operations Console select Maintenance > Flush Cache > . Choose the option to flush cache for all objects.
- Open the Security Console and select Reporting > Reports > Add New and run the Token Expiration Report.
Notes
Patch 4 includes a partial fix for AM-28040. A more complete fix (AM-28656) is expected in early 2015.
In its simplest implementation, round-robin DNS works by responding to DNS requests not only with a single IP address, but a list of IP addresses of several servers that host identical services. The order in which IP addresses from the list are returned is the basis for the term round robin. RSA Identity Source should be configured with an IP address of a single domain controller, and not for a round-robin DNS name, or a directory load balancer. The IP address belonging round robin DNS cannot be used in identity source connection configuration.
Related Articles
AAOP batch loader utility issue - Configuration problem - please check that the following parameter is configure: com.rsa.… Number of Views Batch Jobs Number of Views Assign a replacement RSA SecurID token to a user in RSA Authentication Manager Number of Views Scheduled clean up job does not run but manual clean up works on Authentication Manager 8.x Number of Views What is the maximum number of seeds in a batch RSA Security can ship on a floppy disk? Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
Don't see what you're looking for?
