Authentication fails in AM (All versions) when the user name contains special characters
The purpose of this article is to provide assistance when authentication fails in AM because the user name contains special characters. You will see errors such as: "Detected invalid chars" or "User Name validation Failed". The information in this article only applies when you are using authentication modules and chains.
Symptoms
A user can be created in DS with a special character (such as & or !) in their user name, but when they try to authenticate to an application protected by AM, authentication fails with the following error in the IdRepo debug log:
amProfile_ldap:10/01/2019 11:51:36:600 AM BST: Thread[http--182.127.17.56-8080-113,5,main] ERROR: AMUserPasswordValidationPlugin.validateUserID() : Detected invalid chars ... amProfile_ldap:10/01/2019 11:51:36:600 AM BST: Thread[http--182.127.17.56-8080-113,5,main] ERROR: AMUserPasswordValidationPlugin.validateUserID() : User Name validation Failed:&An exception similar to the following is shown in the Authentication debug log (when debug level is set to Message):
Exception : com.sun.identity.authentication.spi.AuthLoginException: a1234567! contains invalid characters : & at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1008) at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1105) at sun.reflect.GeneratedMethodAccessor19.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) amLoginModule:15/01/2019 10:57:05:526 AM BST: Thread[ajp-/205.132.14.197:11009-4,5,main] User Name validation Faileda1234567! contains invalid characters : ! amAuthLDAP:15/01/2019 10:57:05:526 AM BST: Thread[ajp-/205.132.14.197:11009-4,5,main] Invalid Characters detected amLoginModule:15/01/2019 10:57:05:526 AM BST: Thread[ajp-/205.132.14.197:11009-4,5,main] SETTING Failure Module name.... :LDAP amAuth:15/01/2019 10:57:05:526 AM BST: Thread[ajp-/205.132.14.197:11009-4,5,main] Module name is .. LDAP amAuth:15/01/2019 10:57:05:526 AM BST: Thread[ajp-/205.132.14.197:11009-4,5,main] failureModuleSet is : [LDAP] amJAAS:15/01/2019 10:57:05:526 AM BST: Thread[ajp-/205.132.14.197:11009-4,5,main] Method login LoginModuleControlFlag: requisite failure. amLoginModule:15/01/2019 10:57:05:526 AM BST: Thread[ajp-/205.132.14.197:11009-4,5,main] ABORT return.... false amJAAS:15/01/2019 10:57:05:526 AM BST: Thread[ajp-/205.132.14.197:11009-4,5,main] abort success amLoginModule:15/01/2019 10:57:05:526 AM BST: Thread[ajp-/205.132.14.197:11009-4,5,main] ABORT return.... false amJAAS:15/01/2019 10:57:05:526 AM BST: Thread[ajp-/205.132.14.197:11009-4,5,main] abort success amLoginModule:15/01/2019 10:57:05:526 AM BST: Thread[ajp-/205.132.14.197:11009-4,5,main] ABORT return.... false amJAAS:15/01/2019 10:57:05:526 AM BST: Thread[ajp-/205.132.14.197:11009-4,5,main] abort ignored amAuth:15/01/2019 10:57:05:526 AM BST: Thread[ajp-/205.132.14.197:11009-4,5,main] LOGINFAILED Error.... amAuth:15/01/2019 10:57:05:526 AM BST: Thread[ajp-/205.132.14.197:11009-4,5,main]Recent Changes
Created a user with a user name that contains special characters. By default, these special characters are one of the following: * ( ) & !
Causes
This is expected behavior. AM checks that the user name does not contain special characters when authenticating. These checks are performed against the list of special characters defined in the identity store, and also the LDAP and/or DataStore authentication modules if used in the authentication chain.
Solution
This issue can be resolved by replacing the special characters in user names with alternative characters that are permitted.
Alternatively, you can change the special characters permitted by removing the character(s) that you specifically want to include in user names in the following places:
-
Identity store: the list of special characters is defined via the usernameInvalidChars property, which has a default value of
*|(|)|&|!
- LDAP and/or DataStore authentication modules: the list of special characters is defined in the iplanet-am-auth-ldap-invalid-chars property, which has the same default value. If you use either or both of these modules in your authentication chain, you must update this property in the respective module(s) as well.
See How do I change what characters are permitted in user names in AM (All versions) for authentication purposes? for further information on changing these properties.
Warning
Special characters (& and * in particular) are also used in different contexts, such as building filters to look up values in LDAP or for privilege evaluation. Removing the default characters from these properties may lead to unexpected behavior (in particular, it is likely to break any modules related to LDAP) and is therefore not recommended . If you choose to remove these default characters, you should test your changes in a pre-production environment first.
See Also
Related Training
N/A
Related Issue Tracker IDs
N/A