KB22934 - User authentication fails when authentication is changed from one authentication type to another

This article describes the issue of user authentication failure, when the authentication in the user realm is changed from one server to another or similar server. The following error message is generated:
 

The following role mapping may break if server is changed. confirm server change then save changes to accept this change

 When a user is configured with one server and role mapping is based on user attribute, everything works fine; but if the Authentication is changed in the same realm, the user under that particular realm will not be able to login.

After removing and re-adding the user in the role mapping, the user will be able to login.


For example:

1. The user is initially configured with Active Directory, which is selected via user realm > servers > Authentication; select Active Directory from the drop-down menu.
2. Create a Rule in role mapping with the user attribute.
3. Ask the user to login and it is successful.
4. Now go to the same user realm and change the Authentication server from the drop-down menu; select Radius, AD, LDAP or System local.  
5. Click Save Changes and the following error message is generated:  

The following role mapping may break if server is changed. confirm server change then save changes to accept this change

 

6. The above error message occurs; even when the same servers, such as Radius - Radius, radius - AD, and so on are used.
7. Users will not be able to login, unless the user is removed and re-added in role mapping for the particular realm.

This is working as per design. When the server instance is changed, the user role mapping needed to be re-done to map the user to the particular realm.