User Authentication
You can manage the user authentication as follows:
Manage User Authentication Settings
User authentication settings allow you to create exceptions to authentication policies for individual users. These settings also allow you to troubleshoot user authentication issues.
Before you begin
You must have a restricted or unrestricted agent. If you plan to configure a logon alias, the user must belong to a user group that has access to a restricted agent or has been enabled on an unrestricted agent.
Procedure
In the Security Console, click Identity > Users > Manage Existing.
Use the search fields to find the user that you want to manage.
From the search results, click the user that you want to manage.
From the context menu, click Authentication Settings.
If you want to assign a fixed passcode to the user, select the Fixed Passcode checkbox.
RSA recommends that you do not use fixed passcodes because they eliminate all the advantages of two-factor authentication.
Select the Clear Incorrect Passcodes checkbox to clear any incorrect passcodes. The count of incorrect passcodes is reset, and the user is not prompted for the next tokencode. The system also clears this count automatically with each correct passcode. However, if the user continues to enter incorrect passcodes and exceeds the number of failed logon attempts allowed by the lockout policy, the user is locked out of the system.
This operation only clears the existing count. To clear future counts, you must perform the procedure again.
Select Clear cached copy of selected user's Windows credential to clear a cached version of a user's password.
If your deployment uses RSA SecurID for Windows, AM saves a cached version of the user’s Windows logon password. This information may need to be cleared, if the Windows password has been changed in Active Directory.
If you want to assign a default shell to the user, enter it in the Default Shell field.
To configure a logon alias for the user:
Select whether you want to allow users to use their own User IDs and the alias.
You can use this option to prevent a conflict between users who share the same default User IDs.
Select the user group to which you want to assign the alias.
In the User ID field, enter the User ID that you want to assign to the alias. In the Shell field, enter the shell that you want assigned to the alias. If you are using RADIUS, from the RADIUS Profile drop-down menu, select the RADIUS profile to assign to the alias. Click Add.
If you use RADIUS, select the RADIUS profile and RADIUS user attributes to assign to the user:
From the User RADIUS Profile drop-down menu, select a RADIUS profile to assign to the user.
If you set up logon aliases for the user and you do not specify a RADIUS profile for each alias in step 9, AM assigns the user RADIUS profile to each alias.
In RADIUS User Attributes, select the attribute that you want to assign to the user, enter the value for the attribute in the Value field, and click Add. RADIUS user attributes take precedence over attributes in a RADIUS profile.
A RADIUS user attribute can be mapped to an identity source attribute. For more information, see Map a RADIUS User Attribute Definition to an Identity Source Attribute.
Click Save.
Resolving Duplicate User IDs
If two users with the same user name attempt to access the same protected resource, authentication will fail. This may occur if you link multiple identity sources to the same deployment and users with the same User ID exist in each identity source. In these cases, you have the following options:
- Map the User ID to another field where there are no duplicate values. For example, for an Active Directory identity source, you might be able to map to the UPN field or to a user’s email address.
- Change one of the User IDs in the identity source so that both User IDs become unique. This option may not be practical if the User ID is used for other applications.
- Assign authenticators to only one of the users with the duplicate User ID. This option is not practical if authenticators must be assigned to more than one user with the duplicate User ID.
- You can allow one user to authenticate with a logon alias, and you can prevent this user from authenticating with the default User ID.
Related Articles
User Authentication Attributes Number of Views Manage User Authentication Settings Number of Views Why use RSA SecurID Access AD FS SAML integration rather than the RSA Authentication Agent for Microsoft AD FS Number of Views Authentication error with LDAP user assigned the Super Admin role while providing additional credentials to the RSA Authen… Number of Views RSA SecurID Software Token 5.0 for Windows Quick Start Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Release Notes for RSA Authentication Manager 8.8 RSA Authentication Manager 8.9 Release Notes (January 2026) Deploying RSA Authenticator 6.2.2 for Windows Using DISM RSA MFA Agent 2.4 for Microsoft Windows Installation and Administration Guide
