Wednesday, March 13, 2013

Invalid Credential when Add to Existing Deployment - Part III

In my previous post, I talked about encountering the same Failed to create new Authentication Context: null error even though I have followed the instruction to change to "adminconsoleservice" login.

org.apache.jasper.JasperException: An exception occurred processing JSP page /getServerInfo.jsp at line 76 

74: AuthContext lc = new AuthContext("/"); 
75: //AZLABS lc.login(); 
76: lc.login(AuthContext.IndexType.SERVICE, "adminconsoleservice"); 
77: while (lc.hasMoreRequirements()) { 
78: Callback[] callbacks = lc.getRequirements(); 
79: ArrayList missing = new ArrayList(); 

So, I spent some time yesterday to investigate why.

First, I started by manually testing via the UI using .../openam/UI/Login?service=adminconsoleservice.


It's very obvious why the Authentication Context is null. The administrative account "amadmin" is used during configuration, thus by showing a Active Directory Authentication module, the "amadmin" user is never ever going to be able to login.

So, this has to be fixed. 

With the same URL .../openam/UI/Login?service=adminconsoleservice, the following UI has to be shown in order for the amended code to work.

However, I do not know what has gone wrong with the initial configuration at first. It took me quite a while to discover. It has got to do with how the Organization and Administrator Authentication configurations are arranged.

In fact, I have not made any change to it. It comes by default.

What I have changed, however, is the ldapService in Authentication Chaining.

I have toggled the default DataStore instance to AZAD instance. This is to allow all users to authenticate via Microsoft Active Directory by default. For administrator, he/she has to manually append the module=DataStore to the URL - .../openam/UI/Login?module=DataStore.

I found out that this is the root cause!

What's the workaround?

Step 1: Create a new Authentication service - azService.

Step 2: Choose AZAD as the default instance.

Step 3: Toggle back to DataStore instance for Authentication service - ldapService.

Step 4: Now, this is the important step. Change Organization Authentication Configuration from ldapService to azService.

Test accessing the URL .../openam/UI/Login?service=adminconsoleservice again. Now the UI is what I am expecting!

And of course, the OpenAM Configurator wizard is no longer complaining now. Happy!


No comments:

Post a Comment