ForgeRock Identity Platform
Does not apply to Identity Cloud

Login to AM console (All versions) fails for amAdmin user

Last updated May 10, 2022

The purpose of this article is to provide assistance if login to the AM console fails for the amAdmin user. The amAdmin user is stored in the configuration data store rather than the user data store.

3 readers recommend this article


The amAdmin user cannot log into the console. You may see one of the following errors when you try to log in depending on the root cause:


One of the following error(s) is shown in the browser, even though your credentials are correct:

User name/password combination is invalid. Login/password combination is invalid. Authentication service is not initialized. Contact your system administrator. Unable to login to OpenAM Service Unavailable The service is currently unavailable. It may be temporarily overloaded or under going maintenance. Please try again later.

Authentication debug log

The following error is shown in your Authentication debug log; no error is shown in the browser:

amAuth:12/15/2016 09:27:03:209 AM UTC: Thread[http-nio-8080-exec-8,5,main] LoginState: getting identity Got IdRepException in IdUtils.getIdentity  Message:Illegal universal identifier amAdmin.

Session debug log

The following error is shown in your Session debug log and an authentication failed error may also be seen in the browser:

CTS: Operation failed: Result Code: Object Class Violation Diagnostic Message: Entry coreTokenId=-3581527715699050299,ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com violates the Directory Server schema configuration because it includes attribute coreTokenMultiString01 which is not allowed by any of the objectclasses defined in that entry Matched DN:    at org.forgerock.openam.cts.impl.LdapAdapter.create(    at    at    at$AuditRequestContextPropagatingTask.execute(    at    at

Recent Changes

Installed AM or upgraded to a later version.

Created a new authentication chain and set it as the default for the top level realm.

Enabled secure cookies.

Changed the default cookie domain.


The cause varies depending on what recent changes you have made:

Install or upgrade

When installing or upgrading to AM 5.x or 6 from a previous version, missing schemas for the external CTS will prevent you from logging in (and you will see the CTS: Operation failed error in the Session debug log). This is not an issue in AM 6.5 and later because of setup profiles.

Additionally, because the Core Token Service (CTS) token store is the authoritative source for sessions, the amAdmin user will not be able to log into the console if the CTS store is down or misconfigured. There is an RFE to address the misconfiguration aspect: OPENAM-10383 (Validation of External CTS store using OpenAM GUI).

Authentication chain

If you have created a new authentication chain, set it as the default for the top level realm and use a login URL such as:

The amAdmin user cannot log in as this URL format (openam/XUI/#login) directs them to the authentication chain specified in the Organization Authentication Configuration setting. The amAdmin user needs to log in via the DataStore module.

Secure cookies

If you have enabled AM to set cookies in secure mode, the browser will only return the session cookie if a secure protocol such as HTTPS is used; the cookie will not be returned over non-SSL connections. Although you have successfully authenticated, the cookie containing the session token is not passed to AM, which prevents login from succeeding.

Cookie domain

The cookie domain defaults to the full FQDN. Login will not succeed unless the cookie domain is set correctly.

See FAQ: Cookies in AM (Q. What does the cookie domain default to?) for further information about this change.


The solution depends on the cause:

Install or upgrade

Authentication chain

You should force the amAdmin user to log in to the console (/openam/console) using one of the following URLs:

  • Use the /openam/console URL, for example:
  • Append the login URL with the DataStore module, for example:
  • Append the login URL with the adminconsoleservice service, for example: adminconsoleservice service uses the authentication chain defined for the administrator (Administrator Authentication Configuration).

If you changed the default authentication chain in the top level realm by mistake, you can use one of the above URLs to log in and revert the authentication chain.

Secure cookies 

You can either use a secured HTTPS connection to access AM or disable Secure cookies as detailed in: Login to AM (All versions) fails with valid username/password after enabling Secure cookies.

Cookie domain

You should ensure the cookie domain is set to the full FQDN of the server. If you have a site configuration, you should use the FQDN of the first server in your deployment.

See Platform for further information on setting the cookie domain.

See Also

FAQ: Users in AM

Administrator and user accounts in AM

Core Authentication Attributes

Configuring Authentication Chains

Related Training


Related Issue Tracker IDs

OPENAM-11398 (OpenAM ACI installation instruction does not work for OpenDJ productionMode)

OPENAM-10383 (Validation of External CTS store using OpenAM GUI)

Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.