Solutions

WDSSO authentication fails with java.lang.ArrayIndexOutOfBoundsException after upgrading to, or installing AM 5.1.1

Last updated Jul 9, 2018

The purpose of this article is to provide assistance if you encounter a "javax.security.auth.login.LoginException: java.lang.ArrayIndexOutOfBoundsException" when Kerberos / Windows Desktop SSO (WDSSO) authentication fails after upgrading to, or installing AM 5.1.1. You will see "SETTING Failure Module name.... :WDSSOmodule" and "failureModuleSet is : [WDSSOmodule]" errors instead if you are using an authentication chain with the WDSSO module.


Symptoms

You will see one of the following errors in the Authentication debug log depending on whether you are using an authentication chain or not.

No authentication chain

If you are authenticating using a URL such as:

http://host1.example.com:8080/openam/XUI/?realm=/employees#login&module=WDSSO

You will see the following error in the Authentication debug log when WDSSO authentication fails:

amAuth:12/11/2017 09:32:47:736 AM CEST: Thread[http-nio-8080-exec-3,5,main]: TransactionId[a4ecba01-9bb4-e309-4441-14b6500b1cb9-249] 
Error during login.. 
amAuth:12/11/2017 09:32:47:736 AM CEST: Thread[http-nio-8080-exec-3,5,main]: TransactionId[a4ecba01-e309-9bb4-4441-14b6500b1cb9-249] 
Exception 
javax.security.auth.login.LoginException: java.lang.ArrayIndexOutOfBoundsException: 7 
   at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.initWindowsDesktopSSOAuth(WindowsDesktopSSO.java:591) 
   at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.process(WindowsDesktopSSO.java:158) 
   at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1083) 
   at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1274) 
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
   at java.lang.reflect.Method.invoke(Method.java:498) 
   at com.sun.identity.authentication.jaas.LoginContext.invoke(LoginContext.java:219) 
   at com.sun.identity.authentication.jaas.LoginContext.login(LoginContext.java:127) 
   at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:559) 
   at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:586) 
   at org.forgerock.openam.core.rest.authn.core.wrappers.AuthContextLocalWrapper.submitRequirements(AuthContextLocalWrapper.java:107) 
   at org.forgerock.openam.core.rest.authn.core.LoginProcess.next(LoginProcess.java:167) 
   at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:260) 
   at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:165) 
   at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.initiateAuthentication(RestAuthenticationHandler.java:96) 
   at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:159) 

Authentication chain

If you are authenticating using a URL such as:

http://host1.example.com:8080/openam/XUI/?realm=/employees#login&service=WDSSOchain

You will see the following error in the Authentication debug log when WDSSO authentication fails, where WDSSOmodule is the module name in this example:

amAuthWindowsDesktopSSO:12/11/2017 09:32:47:736 AM CEST: Thread[tomcat-http--50,5,main]: TransactionId[a4ecba01-e309-9bb4-4441-14b6500b1cb9-249]
Service login succeeded.
amLoginModule:12/11/2017 09:32:47:736 AM CEST: Thread[tomcat-http--50,5,main]: TransactionId[a4ecba01-e309-9bb4-4441-14b6500b1cb9-249]
SETTING Failure Module name.... :WDSSOmodule
amAuth:12/11/2017 09:32:47:736 AM CEST: Thread[tomcat-http--50,5,main]: TransactionId[a4ecba01-e309-9bb4-4441-14b6500b1cb9-249]
Module name is .. WDSSOmodule
amAuth:12/11/2017 09:32:47:736 AM CEST: Thread[tomcat-http--50,5,main]: TransactionId[a4ecba01-e309-9bb4-4441-14b6500b1cb9-249]
failureModuleSet is : [WDSSOmodule]
amAuth:12/11/2017 09:32:47:736 AM CEST: Thread[tomcat-http--50,5,main]: TransactionId[a4ecba01-e309-9bb4-4441-14b6500b1cb9-249]
getUserDN: null
amJAAS:12/11/2017 09:32:47:736 AM CEST: Thread[tomcat-http--50,5,main]: TransactionId[a4ecba01-e309-9bb4-4441-14b6500b1cb9-249]
Method login LoginModuleControlFlag: sufficient failure.

Recent Changes

Upgraded to AM 5.1.1 with an existing WDSSO module.

Configured the WDSSO authentication module after upgrading to, or installing AM 5.1.1.

Causes

The WDSSO authentication module stores service schema attributes in a String array and references them using index numbers. Following recent changes to resolve OPENAM-5153 (Auth modules should call setAuthLevel after successful login), the index numbers got out of sync and caused the ArrayIndexOutOfBoundsException.

Solution

This issue can be resolved by upgrading to AM 5.5 or later; you can download this from BackStage.

Additionally, there is an existing patch fix available for AM 5.1.1 that can be obtained by raising a ticket with ForgeRock Support.

See Also

How do I set up Windows Desktop SSO in AM/OpenAM (All versions)?

How do I enable debug logging for troubleshooting WDSSO and Kerberos issues in AM/OpenAM (All versions)?

Configuring and troubleshooting WDSSO in AM/OpenAM

Related Training

N/A

Related Issue Tracker IDs

OPENAM-11610 (WindowSSO module broken in AM 5.1.1 after upgrade)



Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.
Loading...