OpenAM 13 login fails with User name/password combination is invalid error if you use host-based cookies

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if you cannot log into OpenAM 13 with any users, including amadmin, and receive a "User name/password combination is invalid" error even though your credentials are correct. This issue only occurs when you use host-based cookies and are using the XUI interface.

1 reader recommends this article

This article has been archived and is no longer maintained by ForgeRock.


The following error is shown in the browser when you attempt to log in, even though your credentials are correct:

User name/password combination is invalid.

Logging in using the Classic UI works, although this UI is deprecated in OpenAM 13.

The following cookie domains property value is shown if you call the /openam/json/serverinfo endpoint:

{"domains":[], ...

The cookie domains list is returned without a value.

Recent Changes

Upgraded to, or installed OpenAM 13.

Switched from using the Classic UI to the XUI.

Configured OpenAM to use host-based cookies rather than domain cookies.


The empty cookie domains server property prevents the iPlanetDirectoryPro cookie being set, which prevents the login succeeding. This cookie domains property is incorrectly set when host-based cookies are used in the XUI; it should show as follows with double quotes when empty, which allows the iPlanetDirectoryPro cookie to be set: 

{"domains":[""], ...


This issue can be resolved by upgrading to OpenAM 13.5 or later; you can download this from BackStage.


Alternatively, this issue can be resolved by setting the cookie domains to "" using the following ssoadm command:

$ ./ssoadm set-attr-defs -s iPlanetAMPlatformService -t Global -u [adminID] -f [passwordfile] -a iplanet-am-platform-cookie-domains=""

replacing [adminID] and [passwordfile] with appropriate values.


You must restart the web application container in which OpenAM runs to apply these configuration changes. 

See Also

Best practice for upgrading to OpenAM 13.x

Best practice for upgrading to OpenAM 12.x

Authentication fails in OpenAM 13.0 with an AuthId JWT Signature not valid error

Related Training


Related Issue Tracker IDs

OPENAM-5264 (Can't login to OpenAM with no cookies set in the platform service)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.