The amAdmin user cannot log into the AM admin UI. You may see one of the following errors when you try to log in depending on the root cause:
One of the following error(s) is shown in the browser, even though your credentials are correct:User name/password combination is invalid. Login/password combination is invalid. Authentication service is not initialized. Contact your system administrator. Unable to login to OpenAM Service Unavailable The service is currently unavailable. It may be temporarily overloaded or under going maintenance. Please try again later.
The following error is shown in your Authentication debug log; no error is shown in the browser:amAuth:12/15/2016 09:27:03:209 AM UTC: Thread[http-nio-8080-exec-8,5,main] LoginState: getting identity Got IdRepException in IdUtils.getIdentity Message:Illegal universal identifier amAdmin.
The following error is shown in your Session debug log and an authentication failed error may also be seen in the browser:CTS: Operation failed: Result Code: Object Class Violation Diagnostic Message: Entry coreTokenId=-3581527715699050299,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com violates the Directory Server schema configuration because it includes attribute coreTokenMultiString01 which is not allowed by any of the objectclasses defined in that entry Matched DN: at org.forgerock.openam.cts.impl.LdapAdapter.create(LdapAdapter.java:110) at org.forgerock.openam.sm.datalayer.impl.tasks.CreateTask.performTask(CreateTask.java:48) at org.forgerock.openam.sm.datalayer.api.AbstractTask.execute(AbstractTask.java:41) at org.forgerock.openam.sm.datalayer.impl.SeriesTaskExecutor$AuditRequestContextPropagatingTask.execute(SeriesTaskExecutor.java:209) at org.forgerock.openam.sm.datalayer.impl.SimpleTaskExecutor.execute(SimpleTaskExecutor.java:59) at org.forgerock.openam.sm.datalayer.impl.SeriesTaskExecutorThread.run(SeriesTaskExecutorThread.java:85)
Installed AM or upgraded to a later version.
Enabled secure cookies.
Changed the default cookie domain.
Created a new authentication chain and set it as the default for the top level realm.
The cause varies depending on what recent changes you have made:
When installing or upgrading to AM 6 from a previous version, missing schemas for the external CTS will prevent you from logging in (and you will see the CTS: Operation failed error in the Session debug log). This is not an issue in AM 6.5 and later because of setup profiles.
Additionally, because the Core Token Service (CTS) token store is the authoritative source for sessions, the amAdmin user will not be able to log into the admin UI if the CTS store is down or misconfigured. There is an RFE to address the misconfiguration aspect: OPENAM-10383 (Validation of External CTS store using OpenAM GUI).
If you have enabled AM to set cookies in secure mode, the browser will only return the session cookie if a secure protocol such as HTTPS is used; the cookie will not be returned over non-SSL connections. Although you have successfully authenticated, the cookie containing the session token is not passed to AM, which prevents the login from succeeding.
The cookie domain defaults to the full FQDN. Login will not succeed unless the cookie domain is set correctly.
See FAQ: Cookies in AM (Q. What does the cookie domain default to?) for further information about this change.
If you have created a new authentication chain, set it as the default for the top level realm and use a login URL such as:https://am.example.com:8443/am/XUI/#login
The amAdmin user cannot log in as this URL format (am/XUI/#login) directs them to the authentication chain specified in the Organization Authentication Configuration setting. The amAdmin user needs to log in via the DataStore module.
The solution depends on the cause:
- Import the following schemas after installing or upgrading to AM 6:
cts-add-multivalue-indices.ldif. See CTS Installation Script for a sample install script that imports these schemas.
- Ensure the CTS store is up and running.
- Use ssoadm to make changes if the external CTS is misconfigured and preventing access; see How do I configure an external CTS token store in AM (All versions) using Amster or ssoadm? for further information.
You can either use a secured HTTPS connection to access AM or disable Secure cookies as detailed in: Login to AM (All versions) fails with valid username/password after enabling Secure cookies.
You should ensure the cookie domain is set to the full FQDN of the server. If you have a site configuration, you should use the FQDN of the first server in your deployment.
See Platform for further information on setting the cookie domain.
You should force the amAdmin user to log in to the AM admin UI using one of the following URLs:
- Append the login URL with the adminconsoleservice service, for example: https://am.example.com:8443/am/XUI/#login/&service=adminconsoleserviceThe adminconsoleservice service uses the authentication chain defined for the administrator (Administrator Authentication Configuration).
- Append the login URL with the DataStore module, for example: https://am.example.com:8443/am/XUI/#login/&module=DataStore
AM 6.x: Use the am/console URL, for example: https://am.example.com:8443/am/console
If you changed the default authentication chain in the top level realm by mistake, you can use one of the above URLs to log in and revert the authentication chain.