The following error is shown when accessing the login page using a URL such as: http://host1.example.com:18080/openam/XUI/#login/Unknown Error - Please contact your Administrator
When the message disappears, AM hangs and displays a Loading... message.
Variants of this issue can be seen when accessing AM over SSL (for example, using a URL such as: https://host1.example.com:18443/openam/XUI/#login/) or through a load balancer.
Disabling CORS allows access.
This only affects the Chrome browser; using Firefox® works.
Enabled the CORS filter.
Added a load balancer in front of AM when CORS was already enabled and working.
Enabled SSL on AM when CORS was already enabled and working.
Added a realm DNS alias when CORS was already enabled and working.
Some browsers, such as Chrome, send the Origin Header in the request, even in Same-Origin scenarios.
This issue can be resolved by adapting the CORS filter configuration to allow all possible server origins. You may have to include the hostname with both http and https protocols, the server name and the load balancer FQDN, and the port number if it is not the default. See Security Guide › Configuring CORS Support for general instructions on setting up a CORS filter:
- If you need to access more than one hostname, for example, you access AM through a load balancer and also have direct access to the AM server, you should remove or comment out the Expected Hostname section in the CORS filter as this only allows one hostname: <!--init-param> <description> Expected Hostname (Optional): The name of the host expected in the request Host header. </description> <param-name>expectedHostname</param-name> <param-value>host1.example.com:18080</param-value> </init-param-->An RFE exists to allow a list of hostnames to be specified instead: OPENAM-9890 (Allow list in expected Hostname section of CORS Filter).
- Add each URL that is allowed to the Accepted Origins section. Include the protocol and the port if it is not the default. For example, if you want to allow access to https://lb.example.com:443/openam and http://host1.example.com:18080/openam, as well as a real cross-origin URL such as https://other.origin.example.com:443/myApp, the Accepted Origins section in the CORS filter on openam1 would look like this: <init-param> <description> Accepted Origins (Required): A comma separated list of origins from which to accept CORS requests. </description> <param-name>origins</param-name> <param-value> http://host1.example.com:18080,https://lb.example.com,https://other.origin.example.com </param-value> </init-param>
You must restart the web application container in which AM runs to apply these configuration changes.
See How do I troubleshoot issues with the CORS filter in AM (All versions)? if these changes do not resolve your issues.