June 7, 2016 at 7:32 pm #11059lblackwoodParticipant
I’ve upgrade from OpenAM 10.0.2 to 13. When logging in the user is sent back to the Login screen, application behaviour and OpenAM logs suggests the authentication was successful. However OpemAM responds with a redirect to the Login URL (the custom login URL has been defined in OpenAM config).
I can see errors in the Session log:
“Invalid session ID, Site ID “02” either points to a non-existent server, or to a site”.
On login the request is made to /openam/UI/Login, the response has the amlbcookie with “02” value set. The only configuration of this value I can find (ou=com-sun-identity-servers…sunKeyValue: serverconfig=com.iplanet.am.lbcookie.value=01). I can’t see where this value of “02” is coming from. I believe it was 01 before the upgrade, all servers without this upgrade applied return 01.
From the amAuthentication.access I can see both the messages “Login Success|module_instance|Application|isNoSession=false” and “Logout|module_instance|Application”. Could it be I am being successfully logged in, then immediately logged out? The same action on servers without the upgrade does not log any such logout messages.
Any pointers to additional configuration that is required after such an upgrade that I have missed and would potentially cause this issue would be much appreciated.
ThanksJune 20, 2016 at 9:36 am #11392Peter MajorModerator
Not really sure what’s going on. Have you changed anything on your environment after the upgrade? Fiddling around with servers and sites would explain why you are getting that error message. The log snippet you provided could may as well be an OAuth2 client authentication for all we know (in which case such a log would be to be expected).
Can you provide more detail on what exactly is going on? Are you using the XUI or not?June 20, 2016 at 6:02 pm #11411lblackwoodParticipant
Hi Peter, thanks for your reply. I’ve actually just resolved the issue, however my understanding is not totally clear.
‘Fiddling around with the server and sites’ was what was required. I had a site with a single server, as it was one-to-one the site was redundant (I since got Forgerock support who offered this explanation). Removing the site fixed the problem.
Without the site in the config the amlbcookie value returned to 01 and logins were successful. This also seemed to resolve an issue with the policy agent failing to initialise.
I’m not quite sure why adding the single server to a site caused this issue, since it didn’t cause any issue before. But removing has solved the problem.
You must be logged in to reply to this topic.