Login to AM admin UI (All versions) fails for amAdmin user

Last updated Jan 16, 2023

The purpose of this article is to provide assistance if login to the AM admin UI fails for the amAdmin user. The amAdmin user is stored in the configuration data store rather than the user data store.

3 readers recommend this article

Symptoms

The amAdmin user cannot log into the AM admin UI. You may see one of the following errors when you try to log in depending on the root cause:

Browser

One of the following error(s) is shown in the browser, even though your credentials are correct:

User name/password combination is invalid. Login/password combination is invalid. Authentication service is not initialized. Contact your system administrator. Unable to login to OpenAM Service Unavailable The service is currently unavailable. It may be temporarily overloaded or under going maintenance. Please try again later.

Authentication debug log

The following error is shown in your Authentication debug log; no error is shown in the browser:

amAuth:12/15/2016 09:27:03:209 AM UTC: Thread[http-nio-8080-exec-8,5,main] LoginState: getting identity Got IdRepException in IdUtils.getIdentity Message:Illegal universal identifier amAdmin.

Session debug log

The following error is shown in your Session debug log and an authentication failed error may also be seen in the browser:

CTS: Operation failed: Result Code: Object Class Violation Diagnostic Message: Entry coreTokenId=-3581527715699050299,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com violates the Directory Server schema configuration because it includes attribute coreTokenMultiString01 which is not allowed by any of the objectclasses defined in that entry Matched DN: at org.forgerock.openam.cts.impl.LdapAdapter.create(LdapAdapter.java:110) at org.forgerock.openam.sm.datalayer.impl.tasks.CreateTask.performTask(CreateTask.java:48) at org.forgerock.openam.sm.datalayer.api.AbstractTask.execute(AbstractTask.java:41) at org.forgerock.openam.sm.datalayer.impl.SeriesTaskExecutor$AuditRequestContextPropagatingTask.execute(SeriesTaskExecutor.java:209) at org.forgerock.openam.sm.datalayer.impl.SimpleTaskExecutor.execute(SimpleTaskExecutor.java:59) at org.forgerock.openam.sm.datalayer.impl.SeriesTaskExecutorThread.run(SeriesTaskExecutorThread.java:85)

Recent Changes

Installed AM or upgraded to a later version.

Enabled secure cookies.

Changed the default cookie domain.

Created a new authentication chain and set it as the default for the top level realm.

Causes

The cause varies depending on what recent changes you have made:

Install or upgrade

When installing or upgrading to AM 6 from a previous version, missing schemas for the external CTS will prevent you from logging in (and you will see the CTS: Operation failed error in the Session debug log). This is not an issue in AM 6.5 and later because of setup profiles.

Additionally, because the Core Token Service (CTS) token store is the authoritative source for sessions, the amAdmin user will not be able to log into the admin UI if the CTS store is down or misconfigured. There is an RFE to address the misconfiguration aspect: OPENAM-10383 (Validation of External CTS store using OpenAM GUI).

Secure cookies

If you have enabled AM to set cookies in secure mode, the browser will only return the session cookie if a secure protocol such as HTTPS is used; the cookie will not be returned over non-SSL connections. Although you have successfully authenticated, the cookie containing the session token is not passed to AM, which prevents the login from succeeding.

Cookie domain

The cookie domain defaults to the full FQDN. Login will not succeed unless the cookie domain is set correctly.

See FAQ: Cookies in AM (Q. What does the cookie domain default to?) for further information about this change.

Authentication chain

If you have created a new authentication chain, set it as the default for the top level realm and use a login URL such as:

https://am.example.com:8443/am/XUI/#login

The amAdmin user cannot log in as this URL format (am/XUI/#login) directs them to the authentication chain specified in the Organization Authentication Configuration setting. The amAdmin user needs to log in via the DataStore module.

Solution

The solution depends on the cause:

Install or upgrade

Import the following schemas after installing or upgrading to AM 6: cts-add-multivalue.ldif and cts-add-multivalue-indices.ldif. See CTS Installation Script for a sample install script that imports these schemas.
Ensure the CTS store is up and running.
Use ssoadm to make changes if the external CTS is misconfigured and preventing access; see How do I configure an external CTS token store in AM (All versions) using Amster or ssoadm? for further information.

Append the login URL with the adminconsoleservice service, for example: https://am.example.com:8443/am/XUI/#login/&service=adminconsoleserviceThe adminconsoleservice service uses the authentication chain defined for the administrator (Administrator Authentication Configuration).
Append the login URL with the DataStore module, for example: https://am.example.com:8443/am/XUI/#login/&module=DataStore
AM 6.x: Use the am/console URL, for example: https://am.example.com:8443/am/console

If you changed the default authentication chain in the top level realm by mistake, you can use one of the above URLs to log in and revert the authentication chain.

Related Training

N/A

Related Issue Tracker IDs

OPENAM-10383 (Validation of External CTS store using OpenAM GUI)