Cannot send notification to IIS Policy Agents 3.3.0 and 3.3.1 when SSL offloading is enabled for load balancer

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if OpenAM fails to send notifications to the IIS6 and IIS7 Web Policy Agents 3.3.0 and 3.3.1 with a SendNotificationException: "Send notification failed". This issue occurs when SSL offloading is done at the load balancer, that is, the load balancer is in front of the policy agent.

1 reader recommends this article

This article has been archived and is no longer maintained by ForgeRock.


The following error is shown in the CoreSystem log:

amComm:02/23/205 08:24:33:557 AM GMT: Thread[amSession,5,main] ERROR: Cannot send notification to Send notification failed. at at at com.iplanet.dpro.session.service.SessionService$ at$

The following error is shown in the amAgent log (when logging level is set to Message or ALL) indicating that the notification URL is incorrect:

2015-02-23 08:24:12.812 MaxDebug 1928:1ec6da0 all: am_web_is_notification(): is not notification url

Recent Changes

Enabled SSL offloading at the load balancer.


The com.sun.identity.agents.config.override.notification.url property is ignored by the IIS6 and IIS7 Web policy agents, which causes the notification URL to be overridden regardless of this setting. Additionally, the notification URL is incorrectly changed by the Web policy agent, which causes the notifications to fail.


This issue can be resolved by upgrading to Web Policy Agents 3.3.2 or later; you can download this from BackStage.

See Also

How do I enable debug logging for troubleshooting Agents (All versions)?

Related Training


Related Issue Tracker IDs

OPENAM-3375 (IIS6 notification mode does not work if SSL offloading is done at a loadbalancer)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.