How to fix overlapping external Identity Sources in AM 7.1 or later
Originally Published: 2013-12-02
Article Number
Applies To
Multiple external Identity Sources, e.g. support.na.rsa.net, engineering.na.rsa.net, marketing.na.rsa.net, which could be better managed as one external Identity source under na.rsa.net
external IS integration
Issue
Same user shows up under two Identity Sources that point to different parts of the same Active Directory Domain
Adding user with the same userid errors with There was a problem processing your request.
Cannot add or manage a user with user ID jguillette. Your deployment is configured to not allow duplicate user IDs in a realm. This user ID is already in use by an unresolvable user in this realm. For more information, see the Troubleshooting appendix in the Administrator's Guide
Export Failed: There is an error with the user record. The identity source contains no value for the attribute set as the Unique Identifier for the user. Edit the user record in the directory to add a value. This indicates you are not using objectGUID as the unique Identifier in your external IS, and are using something else such as exuid or employeeNumber, and there is at least 1 blank entry in this unique Identifier field in at least 1 record
Cause
If a User is deleted then added back to Active Directory, that is not an overlap because the GUID will be different. This situation often gives rise to the error 'user already exist in the realm'
Also, two different people with the same name and same UserID from different Domains are not an overlap, they are duplicate users, not the same person twice.
(if these users are not in same Domain they are not the same user, this is not an overlap and you should use Token/User export fix, not LDAP fix - See KB a63330)
Resolution
1. Create the new top-level LDAP Identity source which overlaps the 2 or more other Identity Sources i.e. build the top-level, all inclusive IS
2. remove the sub-container ISs
3. Start a Clean-up job on Primary Security Console - simply viewing the list of these users will
Details of step 1:
Create new Identity source at top of URL with
User Base DN: dc=company, dc=com or top level domain name
Under Users
Search Filter: (&(objectClass=User)(objectcategory=person))
Under Group
Search Filer: (&(objectClass=group)
The users will show in both Identity Sources, ?which causes problems with being unable to resolve a user that shows in two locations, so there will be authentication failures.? This needs to happen first, so we can fix with clean-up.
Details of step 3:
With a single top level IS there should be no overlap, however the Authentication Manager database pointer (exuid) needs to be corrected to point to the single isntance of the formerly overlapping duplicate UserIDs (usually GUIDs), so run an Identity source clean-up, listing the user will find user based on GUID, and update the CN part of the exuid pointer into AD to find user in new Identity Source. You do not even have to run the cleanup, simply listing the users corrects the exuid pointer
Workaround
Related Articles
OIDC Relying Party Endpoints Number of Views Authentication for the Cloud Administration APIs Number of Views RSA MFA Agent 2.3.3 for Microsoft Windows Installation and Administration Guide Number of Views Silent install does not complete creates log file with error code Number of Views RSA MFA Agent 2.3.4 for Microsoft Windows Installation and Administration Guide Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
Don't see what you're looking for?
