Subsequent attempts to use ssoadm fail in AM 6.x

Last updated Jan 12, 2023

The purpose of this article is to provide assistance if the first use of ssoadm in AM is successful but subsequent attempts fail with a "FATAL ERROR: Cannot obtain Application SSO token".

1 reader recommends this article

Symptoms

The first attempt to use ssoadm is successful, whereas subsequent attempts give the following response:

Logging configuration class "com.sun.identity.log.s1is.LogConfigReader" failed com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token. Check AMConfig.properties for the following properties com.sun.identity.agents.app.username com.iplanet.am.service.password

Restarting the web application container in which AM runs allows you to successfully use ssoadm once more before getting the above response.

Recent Changes

Changed the dsameuser password.

Causes

The dsameuser is used by ssoadm to authenticate with AM. The first authentication attempt to ssoadm uses the dsameuser password from the bootstrap file (local configuration) and subsequent authentication attempts use the dsameuser password from the SpecialRepo userstore (global configuration). This is a known issue: OPENAM-4292 (dsameuser authentication on /authservice differs at startup). Therefore, if your dsameuser passwords are different in your global and local configurations, subsequent authentications to ssoadm will fail.

Subsequent attempts to use ssoadm fail in AM 6.x

Symptoms

Recent Changes

Causes

Solution

See Also

Related Training

Related Issue Tracker IDs