Account Recreation / Token Re-Assignment?
For reasons I can't get into here, the AD associated with my Authentication Manager appliance is being wiped clean of all non-service account users. Users will be re-provisioned with the same ID as before into the AD, albeit with different groups and permissions. When these users are removed from the AD, they will of course be subsequently deleted from RSA AM.
Is there any way to preserve the assigned SecurID token for each user so when it is recreated on the AD, their existing soft token still works, along with PIN, security questions, etc? Could I possibly break the connection to my AD temporarily, while accounts are recreated and then re-synchronize it along with the RSA AM?
Any ideas at all would be appreciated.
- account recreation
- Active Directory
- Auth Manager
- Authentication Manager
- Community Thread
- export users and tokens
- Forum Thread
- retain pin
- retain token
- RSA Authentication Manager
- RSA SecurID
- RSA SecurID Access
- token reassignment
1. Export users and tokens in the Security Console - Administration.
Download your AM server's key first, then export the encrypted file destined for the same server because if will be encrypted with public key. When AD changes are done, and you have either repaired or re-created the AD external Identity source, you can import your users and tokens back in. At the time you perform the Tokens/User export, the file will contain assigned tokens and PINs if created, so changes after that won't be captured in the file.
2. Wait to perform any scheduled or Right Now External Identity Source clean-ups until after AD changes are made. A clean-up can often find and fix changes that only affect 1 critical field at a time, e.g. if the User last name changes, but other things remain same, this will be fixed immediately, or if User DN changes, but samaccountname, first and last names remain the same, we can fix that too. If multiple things change we might not be able to find and reconcile the users. So first option might be best, or at least used as a backup. You could remove your Identity sources, make AD changes, then add them back and see if AM can reconcile, and if not, import the Tokens/Users which should find the users because they will essentially be the same, and preserve the token assignments.
Refer to attached PowerPoint, which I do not believe is available in RSA Link, to gain some extra understanding of how the AM database uses a pointer called EXUID to something in the external Identity Source (typically ObjectGUID in AD) to find the user everytime an Admin looks them up, assigns them a token, as well as everytime they logon.