We moved on user1 from ab.com domain to de.com domain in AD.
disabled user in ab.com domain.
now we are seeing that user1 don't have any token and new token is also not able to assign to the user. getting error like already token assigned and that token itself is not searchable in RSA now.
if we are moving user from one domain to other through AD, does token also moves with the user?
can somebody help here?
Also, how to mover user with token from 1 identity source(ab.com) to other (de.com)? is it possible?
both identity source are in same setup.
- Auth Manager
- Authentication Manager
- Community Thread
- Forum Thread
- RSA Authentication Manager
- RSA SecurID
- RSA SecurID Access
- user migration
1-user is not coming in unresolvable report.
2- token is released from the user and assigned to some different user.
3- but now we are not able to assign the new token to the user in new domain. user is disabled in old domain.
what we should do to assign the token to this user?
If the token was assigned to user1 in ab.com, then you created same user1 in the new domain, at that point you'd have duplicates. When you hide or delete user1 in ab.com, the new domain user1 may actually heal and assign the token to it, because it's the same userID, same first and last name. So you are never unresolvable.
i checked for the user in unresolvable list but no results found. now user in old domain is in disabled state and in new domain we are not able to assign new token.
can you please suggest how to resolve this?
The user in old domain is not in the unresolvable list because he is in the old domain, just disabled. He would need to be not found in order to be unresolvable in the old domain. So the AM internal database has a pointer to the user in old domain, to their ObjectGUID, so when you try to assign a token to the same user in the new domain, you get the error that he already exists.
The proper fix is to remove the userID from the old domain..If you cannot control what is done in the old domain, there is a 'trick' we can do, basically to filter out or block the single userid in the old domain Identity Source. This would allow you to find this userID in the Clean-up unresolvable list. Once that happens, you will be able to assign a token to the same userID in the new Domain.