Number of Assigned Licenses More Than Number of Assigned Tokens
On our Security console when I go to view license status it says the actual number of Users with Assigned Tokens is 185. However when I go to manage existing assigned tokens and view all assigned it shows only 165. How do I get the licenses to accurately reflect the number of assigned tokens?
- assigned tokens
- Cloud Auth
- Cloud Authentication
- Cloud Authentication Service
- Community Thread
- Forum Thread
- RSA SecurID
- RSA SecurID Access
You should check the number of users that have been configured to use static passcodes (under the user context menu "Authentication Settings..."). Users that can authenticate with static passcodes count against the license limit.
Anybody with at least 1 authenticator; hard token, soft token, On-Demand token or Risk Based Auth, RBA, will count towards the 185 you see. The tricky part is this can include lost of orphaned users in Active Directory or other external Identity Source.
You'll need to run a clean-up job first
Then you may also need to search the internal database to find some dead links to ObjectGUIDs in Active Directory that AM cannot clean up - usually due to some combination of changes such as disabling and moving or changing some user info and moving (which changes the DN)
If you need to dig deeper, there is a KB called How to get an accurate license count, which is KB 30005, link below, or you could find with a search
This is not exactly easy, but if AD is screwed up, this might be a way to surgically remove people.
A variation on this would be to export all users and tokens, unlink the Identity Source, run clean-up and remove everyone, re-link the Identity Source then re-import all users and tokens back in, which will only be the ones who could be found not the orphans, and they will be found in AD again.