Description
This article describes how FortiTokens can end up in status 'Assigned' but with no associated user, and how to fix this.
Scope
FortiAuthenticator, FortiToken.
Solution
Under some circumstances, FortiTokens managed by FortiAuthenticator may end up in the state 'Assigned', but have no associated user, as in this screenshot:
This may happen under the following circumstances:
- Users are synced from remote LDAP or SAML and assigned a token via an LDAP or SAML attribute.
- A user is synced and is assigned an initial FortiToken.
- The assigned serial number set in the LDAP or SAML server changes.
- The same user is synced again. This causes two things:
- The user's FortiToken is updated to the new serial number.
- The old FortiToken remains in the status 'Assigned', but no longer belongs to any user.
This behavior is a reported issue with ID 923385 and has been fixed in firmware versions 6.4.8, 6.5.4, and 6.6.0, meaning tokens will no longer end up in the status 'Assigned' with no user.
However, tokens already in this state will not be automatically corrected.
There are three options to fix already affected tokens:
- Unlock the tokens.
- Delete them and add them to FortiAuthenticator again.
- Open a ticket with FortiAuthenticator support; Support team members have tools available for greater access to the underlying database and can find and fix affected tokens more easily.
