Unable to unlink or edit a missing/dead identity source that authenticates to global catalog (GC) from a realm in RSA Authentication Manager 8.x
Originally Published: 2009-07-08
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
- One identity source that authenticates to a global catalog died and is never coming back online. This identity source needs to be unlinked and deleted from the realm. The following error displays when trying to unlink the missing identity source that authenticates to a GC:
One or more of the identity sources that use the runtime identity source as a referral are not part of the realm.
- The following error displays when trying to list tokens:
identity source unable to connect detail
- The domain controller died, and it cannot be unlinked from a realm
- Unable to edit the identity source Map page because the actual machine is unavailable.
Cause
Resolution
You need to edit the missing identity source then go to the Map page and deselect Authenticate users to a global catalog.but if the machine is dead or otherwise unreachable, it won't let you make any of the changes, so you need to fake-out the Operations Console by completing the steps below:
- Login to the Operations Console and select Deployment Configuration > Identity Source > Manage Existing.
- From the drop down for the identity source, choose Edit.
- Change the Directory URL to point to an actual existing and reachable identity source. It can be one of the other ones you currently use, as long as the machine is up and reachable.
- Now, go to the Map tab, and deselect the option to Authenticate users to a global catalog.
- Click Save when done.
- Login to Security Console and navigate Setup > Identity Sources > Link Identity Source to System.
- Highlight the correct identity source on the right Linked box and using the arrow keys, move it to the Available box.
- Click Save when done.
- Now you should be able to list tokens.
- To delete the identity source for good, run a cleanup job via the Security Console
- For Authentication Manager 7.1 navigate to Setup > Component Configuration > General > Synchronize with Identity Sources.
- For Authentication Manager 8.x navigate to Setup > Identity Sources > Cleanup Unresolvable Users.
- Finally, you can delete the identity source from the Operations Console.
Notes
Simple example scenario
- DC1 is an identity source that is the GC.
- DC2 is an identity source that authenticates to DC1.
- DC3 is an identity source that authenticates to DC1.
- DC1, DC2 and DC3 are linked to the same realm.
- DC2 dies and the decision is made to just forget about it and get rid of it.
In the scenario above you cannot list tokens and you cannot unlink just DC2 to get ready to delete it. You are stuck trying to unlink DC2 to clean up this situation so you can get back to managing users and tokens normally.
Related Articles
Password Dictionary Number of Views Release Notes Archive - Cloud Authentication Service and Authenticators (February 2020 - August 2019) Number of Views Remove an Identity Source Number of Views RSA MFA Agent 3.0 for Microsoft AD FS Group Policy Object Template Guide Number of Views Updating Identity Source Properties Number of Views
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide Unable to login to RSA Authentication Manager Security Console as super admin RSA Release Notes for RSA Authentication Manager 8.8
Don't see what you're looking for?
