ForgeRock Identity Platform
Does not apply to Identity Cloud

Login to AM admin UI (All versions) fails for amAdmin user

Last updated Jan 16, 2023

The purpose of this article is to provide assistance if login to the AM admin UI fails for the amAdmin user. The amAdmin user is stored in the configuration data store rather than the user data store.

3 readers recommend this article


The amAdmin user cannot log into the AM admin UI. You may see one of the following errors when you try to log in depending on the root cause:


One of the following error(s) is shown in the browser, even though your credentials are correct:

User name/password combination is invalid. Login/password combination is invalid. Authentication service is not initialized. Contact your system administrator. Unable to login to OpenAM Service Unavailable The service is currently unavailable. It may be temporarily overloaded or under going maintenance. Please try again later.

Authentication debug log

The following error is shown in your Authentication debug log; no error is shown in the browser:

amAuth:12/15/2016 09:27:03:209 AM UTC: Thread[http-nio-8080-exec-8,5,main] LoginState: getting identity Got IdRepException in IdUtils.getIdentity Message:Illegal universal identifier amAdmin.

Session debug log

The following error is shown in your Session debug log and an authentication failed error may also be seen in the browser:

CTS: Operation failed: Result Code: Object Class Violation Diagnostic Message: Entry coreTokenId=-3581527715699050299,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com violates the Directory Server schema configuration because it includes attribute coreTokenMultiString01 which is not allowed by any of the objectclasses defined in that entry Matched DN: at org.forgerock.openam.cts.impl.LdapAdapter.create( at at at$AuditRequestContextPropagatingTask.execute( at at

Recent Changes

Installed AM or upgraded to a later version.

Enabled secure cookies.

Changed the default cookie domain.

Created a new authentication chain and set it as the default for the top level realm.


The cause varies depending on what recent changes you have made:

Install or upgrade

When installing or upgrading to AM 6 from a previous version, missing schemas for the external CTS will prevent you from logging in (and you will see the CTS: Operation failed error in the Session debug log). This is not an issue in AM 6.5 and later because of setup profiles.

Additionally, because the Core Token Service (CTS) token store is the authoritative source for sessions, the amAdmin user will not be able to log into the admin UI if the CTS store is down or misconfigured. There is an RFE to address the misconfiguration aspect: OPENAM-10383 (Validation of External CTS store using OpenAM GUI).

Secure cookies

If you have enabled AM to set cookies in secure mode, the browser will only return the session cookie if a secure protocol such as HTTPS is used; the cookie will not be returned over non-SSL connections. Although you have successfully authenticated, the cookie containing the session token is not passed to AM, which prevents the login from succeeding.

Cookie domain

The cookie domain defaults to the full FQDN. Login will not succeed unless the cookie domain is set correctly.

See FAQ: Cookies in AM (Q. What does the cookie domain default to?) for further information about this change.

Authentication chain

If you have created a new authentication chain, set it as the default for the top level realm and use a login URL such as:

The amAdmin user cannot log in as this URL format (am/XUI/#login) directs them to the authentication chain specified in the Organization Authentication Configuration setting. The amAdmin user needs to log in via the DataStore module.


The solution depends on the cause:

Install or upgrade

Secure cookies

You can either use a secured HTTPS connection to access AM or disable Secure cookies as detailed in: Login to AM (All versions) fails with valid username/password after enabling Secure cookies.

Cookie domain

You should ensure the cookie domain is set to the full FQDN of the server. If you have a site configuration, you should use the FQDN of the first server in your deployment.

See Platform for further information on setting the cookie domain.

Authentication chain

You should force the amAdmin user to log in to the AM admin UI using one of the following URLs:

  • Append the login URL with the adminconsoleservice service, for example: adminconsoleservice service uses the authentication chain defined for the administrator (Administrator Authentication Configuration).
  • Append the login URL with the DataStore module, for example:
  • AM 6.x: Use the am/console URL, for example:

If you changed the default authentication chain in the top level realm by mistake, you can use one of the above URLs to log in and revert the authentication chain.

See Also

FAQ: Users in AM

Administrator and user accounts in AM

Core authentication attributes

Configure authentication chains

Related Training


Related Issue Tracker IDs

OPENAM-10383 (Validation of External CTS store using OpenAM GUI)

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.