I have setup aliased accounts for our admins that have both a user account and an administrator account so that they only require one hardware token. I noticed that the Offline days never refresh for the aliased account. Is there a way to make this refresh or will that aliased account be forced to be 'online only' once the days expire?
While watching the authentication monitor I can see that when logging on as the aliased account (the admin) it is authenticated with the account with the token assigned (the user). A few seconds later a second request is made for Offline Authentication Data, this request is made using the aliased account name and fails. The error log shows that it is an "INVALID_PROOF"
This won't work.
The alias is not a real UserID, it's an alias for the real UserID, therefore the Offline Policy only applies to the real UserID, therefore the real UserID is the only UserId that exists in AM and the only UserID that can have offline days.
So if you really need someone to have offline days, they need their own token.
The alias use case only covers sharing a token between two UserIDs (that are the same person), and does not allow two sets of essentially the same offline day files.