Wednesday, March 13, 2013

Invalid Credential when Add to Existing Deployment - Part III

In my previous post, I talked about encountering the same Failed to create new Authentication Context: null error even though I have followed the instruction to change to "adminconsoleservice" login.





org.apache.jasper.JasperException: An exception occurred processing JSP page /getServerInfo.jsp at line 76 

73: 
74: AuthContext lc = new AuthContext("/"); 
75: //AZLABS lc.login(); 
76: lc.login(AuthContext.IndexType.SERVICE, "adminconsoleservice"); 
77: while (lc.hasMoreRequirements()) { 
78: Callback[] callbacks = lc.getRequirements(); 
79: ArrayList missing = new ArrayList(); 


So, I spent some time yesterday to investigate why.


First, I started by manually testing via the UI using .../openam/UI/Login?service=adminconsoleservice.

Bingo!

It's very obvious why the Authentication Context is null. The administrative account "amadmin" is used during configuration, thus by showing a Active Directory Authentication module, the "amadmin" user is never ever going to be able to login.




So, this has to be fixed. 

With the same URL .../openam/UI/Login?service=adminconsoleservice, the following UI has to be shown in order for the amended code to work.




However, I do not know what has gone wrong with the initial configuration at first. It took me quite a while to discover. It has got to do with how the Organization and Administrator Authentication configurations are arranged.


In fact, I have not made any change to it. It comes by default.




What I have changed, however, is the ldapService in Authentication Chaining.

I have toggled the default DataStore instance to AZAD instance. This is to allow all users to authenticate via Microsoft Active Directory by default. For administrator, he/she has to manually append the module=DataStore to the URL - .../openam/UI/Login?module=DataStore.






I found out that this is the root cause!

What's the workaround?

Step 1: Create a new Authentication service - azService.


Step 2: Choose AZAD as the default instance.



Step 3: Toggle back to DataStore instance for Authentication service - ldapService.



Step 4: Now, this is the important step. Change Organization Authentication Configuration from ldapService to azService.


Test accessing the URL .../openam/UI/Login?service=adminconsoleservice again. Now the UI is what I am expecting!



And of course, the OpenAM Configurator wizard is no longer complaining now. Happy!


.




No comments:

Post a Comment