AnsweredAssumed Answered

RSA Multi Factor Authentication unregister LDAP ID from prior token

Question asked by Scott Lervold on May 2, 2018
Latest reply on May 2, 2018 by Jay Guillette

We are evaluating the RSA Authentication Agent on a few of our Windows servers to determine if RSA Multi Factor Authentication will meet our needs. We are trying to setup alias authentication, allowing two separate LDAP IDs (user normal and user admin) the ability to use the same token to authenticate to agented servers. Unfortunately, it appears both accounts were assigned tokens at some point so they are both "registered" in RSA. We would like to determine how we can go about "unregistering" one of the accounts so it can be utilized as an alias to the other account. In our scenario, we would like to unregister the user admin account so it can be added as an alias to the user normal account. 

The following comment from the above thread appears to indicate there is a way to correct this issue...

Yes.  what would mess this up is if both UserIDs, the real one and the alias one, were both assigned tokens at one point, so they would be 'registered' in RSA.  If that happened there are ways to fix it, but you only want one UserID pointing to the real SamAccountName in Acitve Directory, and the other exists in AD, but RSA thinks it is just an alias for the first UserID.

Here's a PowerPoint on external Identity Sources, if you need to understand that the RSA database has a pointer, called exuid, that points to the real User in AD or LDAP, typically the exuid points to the ObjectGUID in LDAP.

Thank you.