SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
Article Number
000013555
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
There are times when one user will have more than one account in the external identity source used with Authentication Manager. For example, an Active Directory regular user account (jguillette) and a second AD admin account (AdminGuill).
By default, if one of these user IDs has a token assigned to it and one does not, one or more of the following errors will show in the authentication activity monitor if the user ID without the token assigned tries to authenticate to an agent using native SecurID protocol:
If the agent is a RADIUS client, nothing may show in the authentication activity monitor or in authentication reports, but the /opt/rsa/am/radius/<date>.log file may have a generic entry such as:
Unable to find user <user ID> with matching password
This article explains how these two user IDs can share a single SecurID token in Authentication Manager and be able to login with either account on a protected authentication agent.
By default, if one of these user IDs has a token assigned to it and one does not, one or more of the following errors will show in the authentication activity monitor if the user ID without the token assigned tries to authenticate to an agent using native SecurID protocol:
- Principal does not possess one or more authenticators
- No aliases found, unable to resolve principal by alias
- Unable to resolve principal by login ID and/or alias
- Unable to resolve login by user id and/or alias, or authenticator not assigned to user
- This user ID is already in use by an unresolvable user in this realm
If the agent is a RADIUS client, nothing may show in the authentication activity monitor or in authentication reports, but the /opt/rsa/am/radius/<date>.log file may have a generic entry such as:
Unable to find user <user ID> with matching password
Cause
It is possible that if the two LDAP user accounts exist in the same external identity source, Authentication Manager may find the real account with no token assigned rather than the alias for the real account that has a token assigned.
Resolution
In the following example,
If no user groups exist, first create an internal group or use an external LDAP group. From the Security Console select Identity > User Groups > Add New. Now add both the jguillette and AdminGuill user IDs to this group.
Image description
- There is an Authentication Manager user named Jay Guillette.
- Jay's user ID of jguillette exists in the external identity source named IS1 and has a token assigned to him.
- Jay's user ID of AdminGuill exists in external identity source named IS2 and does not have a token assigned. This account must be unregistered in Authentication Manager, which means it has never had token assigned to it. See article 000011632 Unable to add or manage user in RSA Authentication Manager; getting the error: The specified ID is already in use by unresolveable user within this realm.
- Jay wants to be able to use the same token whether he authenticates as jguillette or as AdminGuill.
Prerequisite
If no user groups exist, first create an internal group or use an external LDAP group. From the Security Console select Identity > User Groups > Add New. Now add both the jguillette and AdminGuill user IDs to this group.
You will need to have a user group to assign to the user before continuing If authentication is through a RADIUS client, also create a RADIUS profile.
- Login to the Security Console.
- Navigate to Identity > Users > Manage Existing.
- Set the Search Criteria for Identity Source to IS1 where User ID contains jguillette.
- In the User ID column, click on Jay's user ID and from the menu choose Authentication Settings.
- In the Authentication Settings section,
- For the option of User Authenticates With, select Default User ID, or any of the following aliases.
- Select a user group from the list.
- In the User ID field, add the logon alias of AdminGuill.
- If authenticating with RADIUS, be sure to add a RADIUS profile value.
- Click Add.
- Click Save when done.
- Go back to Identity > Users > Manage Existing.
- Set the Search Criteria for Identity Source to IS2 where User ID contains AdminGuill
- In the User ID column, click on Jay's user ID and from the menu choose Authentication Settings.
- In the Authentication Settings section,
- For the option of User Authenticates With, select Only the following aliases. See screenshot below
- Select a user group from the list.
- In the User ID field, add the logon alias for jguillette, e.g. AdminGuill.
- If authenticating with RADIUS, be sure to add a RADIUS profile value.
- Click Add.
- Click Save.
Image description- Navigate to Access > Authentication Agents > Manage Existing.
- Depending on the agent, click the Restricted or Unrestricted tab.
- Use the search fields to find the agent to which you want to enable logon aliases.
- Select the checkbox next to the agent to which you want to enable logon aliases.
- Do one of the following:
- For restricted agents, select Grant Access to User Groups from the Action Menu and click Go.
- For unrestricted agents, select Enable Logon Aliases from the Action Menu and click Go.
- Use the search fields to find the user groups to which you want to enable logon aliases.
- Select the checkbox next to the user group to which you want to enable logon aliases.
- Do one of the following:
- For restricted agents, click Grant Access to User Groups.
- For unrestricted agents, select Enable Logon Aliases with User Groups.
- Test authentication as both jguillette and as AdminGuill using the same token.
When testing, be sure to wait for the tokencode to roll to the next one before the second authentication so you don't get a passcode reuse attack error in the authentication activity monitor.
Notes
RSA strongly recommends that you do not allow users to share the same token. It is a poor security practice as it negates non-repudiation.
Allowing the same person with two different Windows Accounts to use the same token with either account does not negate non-repudiation and therefore that use case is legitimate and the reason this article was written.In order to do this, you must make Authentication Manager believe there is only one account (with an alias) it, therefore, goes without saying that the Authentication Manager feature of Windows Password Integration will be unaware that there are two accounts, and will only maintain a single Windows password for both if you enable Windows Password Integration. You will either need to disable this feature for this user or have the user manually maintain the same password in AD for both accounts.
In this article
