Hi Any one can advise is there any issues if I integrate multiple AD with authentication manager having same userID.
thanks in advance
When you do this, you create duplicate UserIDs, and you will either have small, possibly unnoticeable, or big problems, but there will be problems so it is not recommended.
When you link an external Identity Source, your Security Console Administrators immediately see all users in that Identity Source. These users do not count against your active User limit, but at this point you can see everyone in the scope, under the Base DN and search filters.
When your Admin assigns a token authenticator; Hardware FOB, software, On Demand, Risk-Based or even a Fixed Passcode, that user now counts against your active user license limit. Auth Manager can do this because there is now a pointer, called the exuid field in the internal database, which contains the value of the location of this users in the external Identity Source, usually the Objectguid in Active Directory. The fact that there is now an exuid field pointing to a user's objectguid in AD is known as registration in RSA speak, this user is now said to be registered. Most Registered Users count against your active user license limit, but one exception to this, users who answer their Security Questions in the self service console become registered, but do not count against the active user license limit until an authenticator is assigned.
The minor problems start when your administrators see duplicate userIDs in the Security Console, one registered, others usually not. This can cause reporting problems, but authentications will work because on the registered user is found. Major problems start when you want to switch a registered user from one Identity Source to another Identity Source, when AM can see both users in both Identity Sources. There is no way in the Security Console to manually 'unregister' a user, the normal method is that the user is removed from AD (because they left the company, etc...) so AM no longer sees user, and when a clean-up job runs - then that user is unregistered. Worst problems are when the same userID gets registered twice.
Hi Jay, Noted. very helpful.
The other functionality to assist in this situation isthe use of aliases. These can be created for specific users with duplicate IDs. There is also an option that will prevent AM from using the user's default AD login ID as their login ID at an RSA Agent. This eliminates a problem that can occur during authentication when the server is unable to determine the unique identity of the user based on the login ID they entered at the Agent. If this option is selected, the user will be required to use an alias when authenticating.
Dear Piers Bowness,
Thanks for sharing other functionality, you mean after creating Alias in RSA AM, user need to key in Alias name instead AD user name when windows prompts key in user name and Pass code . Am I right ? if I am right, how Windows server will read the Alias name which we create in RSA AM?.
Retrieving data ...