Unable to unlink or edit a missing/dead identity source that authenticates to global catalog (GC) from a realm in RSA Authentication Manager 8.x
Originally Published: 2009-07-08
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
- One identity source that authenticates to a global catalog died and is never coming back online. This identity source needs to be unlinked and deleted from the realm. The following error displays when trying to unlink the missing identity source that authenticates to a GC:
One or more of the identity sources that use the runtime identity source as a referral are not part of the realm.
- The following error displays when trying to list tokens:
identity source unable to connect detail
- The domain controller died, and it cannot be unlinked from a realm
- Unable to edit the identity source Map page because the actual machine is unavailable.
Cause
Resolution
You need to edit the missing identity source then go to the Map page and deselect Authenticate users to a global catalog.but if the machine is dead or otherwise unreachable, it won't let you make any of the changes, so you need to fake-out the Operations Console by completing the steps below:
- Login to the Operations Console and select Deployment Configuration > Identity Source > Manage Existing.
- From the drop down for the identity source, choose Edit.
- Change the Directory URL to point to an actual existing and reachable identity source. It can be one of the other ones you currently use, as long as the machine is up and reachable.
- Now, go to the Map tab, and deselect the option to Authenticate users to a global catalog.
- Click Save when done.
- Login to Security Console and navigate Setup > Identity Sources > Link Identity Source to System.
- Highlight the correct identity source on the right Linked box and using the arrow keys, move it to the Available box.
- Click Save when done.
- Now you should be able to list tokens.
- To delete the identity source for good, run a cleanup job via the Security Console
- For Authentication Manager 7.1 navigate to Setup > Component Configuration > General > Synchronize with Identity Sources.
- For Authentication Manager 8.x navigate to Setup > Identity Sources > Cleanup Unresolvable Users.
- Finally, you can delete the identity source from the Operations Console.
Notes
Simple example scenario
- DC1 is an identity source that is the GC.
- DC2 is an identity source that authenticates to DC1.
- DC3 is an identity source that authenticates to DC1.
- DC1, DC2 and DC3 are linked to the same realm.
- DC2 dies and the decision is made to just forget about it and get rid of it.
In the scenario above you cannot list tokens and you cannot unlink just DC2 to get ready to delete it. You are stuck trying to unlink DC2 to clean up this situation so you can get back to managing users and tokens normally.
Related Articles
Password Dictionary Number of Views Multiple Remote AFX Server Failures caused by 'Issuer key identifier for the subject and the Subject key identifier for th… Number of Views How to configure a JSON response in AFX connector capabilities to parse single or multi-valued responses in RSA Identity G… Number of Views RSA Governance & Lifecycle Recipes: Chart - AD Days Since Last Logon Number of Views How to edit the Account custom attribute which is marked as managed in RSA Identity Governance and Lifecycle Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
Don't see what you're looking for?
