When listing assigned tokens, some are assigned to <UNKNOWN>.
This is the correct behavior where an external identity source, such as Active Directory or SunONE Directory Server, is being used and a user was been deleted by the directory server administrator while they still had a token assigned to them.
Authentication Manager will only be aware that a user has been deleted when it queries the identity source and is informed that the user no longer exists. At this point the software will display the token details as <UNKNOWN>.
It is possible to manually unassign the token where needed on an individual basis; however you may also configure a background task to run once a day to check through your entire system and reset any records that it finds in thi state.
Depending on the size of your database and external identity source, think about scheduling this process to run overnight.
To set the task to run automatically from the Security Console,
This page has a preview to see what the system thinks needs to be cleaned up. You can check the list and ensure all the user IDs that appear are explained; for example, that the user doesn't need a token assigned to them anymore, etc.).
This job will clean up all those records where the user with a token has been deleted from the external identity source, but still has a reference (and an assigned token) in Authentication Manager.
You can also go to Administration > Batch Jobs to see a history of when the last time the job ran as well.
For full details on the cleanup process, see the help menu in the Security Console.