We recently had two users prompted to enter the "next tokencode" after they'd already logged in successfully. According to RSA support, this is typically because their tokens are out of sync.
However, they were able to log in again after we cleared their incorrect login attempts. We did not do anything to resynchronize their tokens.
With that said, does this mean the tokens can sometimes get back into sync without intervention?
Or was my problem perhaps something else? The users were highly confident they entered the correct token code each time.
The answer is 'a little bit' or 'kind of'
If you restart AM services on the Primary, either after a reboot or in Linux /opt/rsa/am/server/rsaserv restart all
the first time every token is used to logon after that, the AM server will accept any tokencode within a plus or minus 10 minute window. The AM server can then note any difference in the time on the token from the time on the AM server (which is always assumed to be correct)
Re-synching a token does the same thing, but with a plus or minus 12 hour window