Login to AM console (All versions) fails for amAdmin user
The purpose of this article is to provide assistance if login to the AM console fails for the amAdmin user. The amAdmin user is stored in the configuration data store rather than the user data store.
3 readers recommend this article
Symptoms
The amAdmin user cannot log into the console. You may see one of the following errors when you try to log in depending on the root cause:
Browser
One of the following error(s) is shown in the browser, even though your credentials are correct:
User name/password combination is invalid. Login/password combination is invalid. Authentication service is not initialized. Contact your system administrator. Unable to login to OpenAM Service Unavailable The service is currently unavailable. It may be temporarily overloaded or under going maintenance. Please try again later.Authentication debug log
The following error is shown in your Authentication debug log; no error is shown in the browser:
amAuth:12/15/2016 09:27:03:209 AM UTC: Thread[http-nio-8080-exec-8,5,main] LoginState: getting identity Got IdRepException in IdUtils.getIdentity Message:Illegal universal identifier amAdmin.Session debug log
The following error is shown in your Session debug log and an authentication failed error may also be seen in the browser:
CTS: Operation failed: Result Code: Object Class Violation Diagnostic Message: Entry coreTokenId=-3581527715699050299,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com violates the Directory Server schema configuration because it includes attribute coreTokenMultiString01 which is not allowed by any of the objectclasses defined in that entry Matched DN: at org.forgerock.openam.cts.impl.LdapAdapter.create(LdapAdapter.java:110) at org.forgerock.openam.sm.datalayer.impl.tasks.CreateTask.performTask(CreateTask.java:48) at org.forgerock.openam.sm.datalayer.api.AbstractTask.execute(AbstractTask.java:41) at org.forgerock.openam.sm.datalayer.impl.SeriesTaskExecutor$AuditRequestContextPropagatingTask.execute(SeriesTaskExecutor.java:209) at org.forgerock.openam.sm.datalayer.impl.SimpleTaskExecutor.execute(SimpleTaskExecutor.java:59) at org.forgerock.openam.sm.datalayer.impl.SeriesTaskExecutorThread.run(SeriesTaskExecutorThread.java:85)Recent Changes
Installed AM or upgraded to a later version.
Created a new authentication chain and set it as the default for the top level realm.
Enabled secure cookies.
Changed the default cookie domain.
Causes
The cause varies depending on what recent changes you have made:
Install or upgrade
When installing or upgrading to AM 5.x or 6 from a previous version, missing schemas for the external CTS will prevent you from logging in (and you will see the CTS: Operation failed error in the Session debug log). This is not an issue in AM 6.5 and later because of setup profiles.
Additionally, because the Core Token Service (CTS) token store is the authoritative source for sessions, the amAdmin user will not be able to log into the console if the CTS store is down or misconfigured. There is an RFE to address the misconfiguration aspect: OPENAM-10383 (Validation of External CTS store using OpenAM GUI).
Authentication chain
If you have created a new authentication chain, set it as the default for the top level realm and use a login URL such as:
http://host1.example.com:8080/openam/XUI/#loginThe amAdmin user cannot log in as this URL format (openam/XUI/#login) directs them to the authentication chain specified in the Organization Authentication Configuration setting. The amAdmin user needs to log in via the DataStore module.
Secure cookies
If you have enabled AM to set cookies in secure mode, the browser will only return the session cookie if a secure protocol such as HTTPS is used; the cookie will not be returned over non-SSL connections. Although you have successfully authenticated, the cookie containing the session token is not passed to AM, which prevents login from succeeding.
Cookie domain
The cookie domain defaults to the full FQDN. Login will not succeed unless the cookie domain is set correctly.
See FAQ: Cookies in AM (Q. What does the cookie domain default to?) for further information about this change.
Solution
The solution depends on the cause:
Install or upgrade
- Import the following schemas after installing or upgrading to AM 5.x or 6:
cts-add-multivalue.ldifandcts-add-multivalue-indices.ldif. See Installation Guide › CTS Installation Script for a sample install script that imports these schemas. - Ensure the CTS store is up and running.
- Use ssoadm to make changes if the external CTS is misconfigured and preventing access; see How do I configure an external CTS token store in AM (All versions) using Amster or ssoadm? for further information.
Authentication chain
You should force the amAdmin user to log in to the console (/openam/console) using one of the following URLs:
- Use the /openam/console URL, for example: http://host1.example.com:8080/openam/console
- Append the login URL with the DataStore module, for example: http://host1.example.com:8080/openam/XUI/#login/&module=DataStore
- Append the login URL with the adminconsoleservice service, for example: http://host1.example.com:8080/openam/XUI/#login/&service=adminconsoleserviceThe adminconsoleservice service uses the authentication chain defined for the administrator (Administrator Authentication Configuration).
If you changed the default authentication chain in the top level realm by mistake, you can use one of the above URLs to log in and revert the authentication chain.
Secure cookies
You can either use a secured HTTPS connection to access AM or disable Secure cookies as detailed in: Login to AM (All versions) fails with valid username/password after enabling Secure cookies.
Cookie domain
You should ensure the cookie domain is set to the full FQDN of the server. If you have a site configuration, you should use the FQDN of the first server in your deployment.
See Reference › Platform for further information on setting the cookie domain.
See Also
Administrator and user accounts in AM
Authentication and Single Sign-On Guide › Core Authentication Attributes
Authentication and Single Sign-On Guide › Configuring Authentication Chains
Related Training
N/A
Related Issue Tracker IDs
OPENAM-11398 (OpenAM ACI installation instruction does not work for OpenDJ productionMode)
OPENAM-10383 (Validation of External CTS store using OpenAM GUI)