I am currently planning and testing a deployment of RSA SID800 USB tokens as pre-boot logon with sso for our remote SafeBoot users. At first it seemed straight forward enough and the key file writes (the first time) to the token without issue when you change the users token from password only to RSA. However, as part of my testing i have been simulating lost tokens and switching the test users back to password only. i have found that this renders the tokens inoperable. They cant be reassigned to the same user or a different user for that matter and a "Too many incorrect authentication attempts" error is generated.
It seems that switching to password only automatically disables the token but there is no way in SBA to reset the token. The RSA integration guide is very basic and does not cover this scenario. I am sure i am overlooking something simple.
For the benefit of others, I used the RSA Authenticator Utility which allows you to reset the PIN with the PUK code that comes with the tokens. I am not sure why the token gets locked when unassigned but this seems to be a neccesary step to allow reassigning or assigning to other users.