Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Subsequent attempts to use ssoadm fail in AM 5.x and 6.x

Last updated Apr 13, 2021

The purpose of this article is to provide assistance if the first use of ssoadm in AM is successful but subsequent attempts fail with a "FATAL ERROR: Cannot obtain Application SSO token".


1 reader recommends this article

Symptoms

The first attempt to use ssoadm is successful, whereas subsequent attempts give the following response:

Logging configuration class "com.sun.identity.log.s1is.LogConfigReader" failed com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token. Check AMConfig.properties for the following properties com.sun.identity.agents.app.username com.iplanet.am.service.password

Restarting the web application container in which AM runs allows you to successfully use ssoadm once more before getting the above response.

Recent Changes

Changed the dsameuser password.

Causes

The dsameuser is used by ssoadm to authenticate with AM. The first authentication attempt to ssoadm uses the dsameuser password from the bootstrap file (local configuration) and subsequent authentication attempts use the dsameuser password from the SpecialRepo userstore (global configuration). This is a known issue:  OPENAM-4292 (dsameuser authentication on /authservice differs at startup). Therefore, if your dsameuser passwords are different in your global and local configurations, subsequent authentications to ssoadm will fail. 

Solution

This issue can be resolved by ensuring your dsameuser has the same password in your global and local configurations.

See How do I change the dsameuser password in AM 5.x or 6.x? for further information on changing your dsameuser password.

See Also

How do I change the dsameuser password in AM 5.x or 6.x?

ssoadm fails in AM (All versions) with FATAL ERROR: Cannot obtain Application SSO token

FAQ: Installing and using ssoadm in AM

How do I enable message level debugging for ssoadm in AM (All versions)?

Using ssoadm in AM

Related Training

N/A

Related Issue Tracker IDs

OPENAM-4292 (dsameuser authentication on /authservice differs at startup)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.